5 Application Loader Design

In this chapter, we will learn how a simple application loader can execute EXE files in memory without creating a child process. We will learn how to import an address table in a PE structure and write C programs to analyze them. We will then learn how to hijack Windows API calls, replace API behaviors with malicious code, and do DLL side-loading using examples.

In this chapter, we’re going to cover the following main topics:

Import Address Table in PE
Import API analyzer example
Examples of IAT hijack
DLL side-loading example

Import Address Table in PE

As we mentioned in Chapter 1, From Source to Binaries – The Journey of a C Program, when a program is executed, the following procedure is performed. First, a new ...

Get Windows APT Warfare now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows APT Warfare by Sheng-Hao Ma, Ziv Chang, Federico Maggi

5

Application Loader Design

Import Address Table in PE

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly