How to hide code behind a legit process Recently updated !

frogboy

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Study of a hack used by malware to hide code inside a well know process.



Introduction


Disclaimer: This is not a tutorial to make a malware, but a practical case for educational purpose only. Anyway, this is covered for decades on other websites…

Hiding a process has always being challenging for malware writers, and they found many ways to do so. The tip I’ll talk about is very basic, yet simple to write, but doesn’t work all the time. This trick is known under the name “RunPE” and has been used many time in malware industry, especially in RATs (Remote Administration Tools).

Basically, when a malware starts, it will pick a victim among the Windows processes (like explorer.exe) and start a new instance of it, in a suspended state. In that state it’s safe to modify and the malware will totally clear it from its code, extend the memory if needed, and copy its own code inside.

Then, the malware will do some magic to adjust the address of entry point as well as the base address and will resume the process.
After being resumed, the process shows being started from a file (explorer.exe) that has nothing to do anymore with what it actually does.

Read more here. http://www.adlice.com/runpe-hide-code-behind-legit-process/
 
  • Like
Reactions: Behold Eck, Koroke San, Venustus and 6 others
L

LabZero

frogboy said:
Study of a hack used by malware to hide code inside a well know process.



Introduction


Disclaimer: This is not a tutorial to make a malware, but a practical case for educational purpose only. Anyway, this is covered for decades on other websites…

Hiding a process has always being challenging for malware writers, and they found many ways to do so. The tip I’ll talk about is very basic, yet simple to write, but doesn’t work all the time. This trick is known under the name “RunPE” and has been used many time in malware industry, especially in RATs (Remote Administration Tools).

Basically, when a malware starts, it will pick a victim among the Windows processes (like explorer.exe) and start a new instance of it, in a suspended state. In that state it’s safe to modify and the malware will totally clear it from its code, extend the memory if needed, and copy its own code inside.

Then, the malware will do some magic to adjust the address of entry point as well as the base address and will resume the process.
After being resumed, the process shows being started from a file (explorer.exe) that has nothing to do anymore with what it actually does.

Read more here. http://www.adlice.com/runpe-hide-code-behind-legit-process/
Click to expand...
Welcome in MA staff friend :);)
 
  • Like
Reactions: FireShootSK, frogboy and Venustus
You must log in or register to reply here.

Similar threads

L
    • Like
How to hide randomized advertisements or placeholders with two simple user rules
Replies
2
Views
283
Web Extensions
LennyFox
L
Bot
    • Like
    • +Reputation
Hot Take From Deepfakes to Malware: AI's Expanding Role in Cyber Attacks
Replies
0
Views
161
General Security Discussions
Bot
Bot
R
    • Like
Hot Take Let's Block It! - A companion to the great uBlock Origin content blocker
Replies
2
Views
579
Web Extensions
rashmi
R

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top