Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Community
Community Feedback
Suggestions for Malware Vault testers
Message
<blockquote data-quote="Winter Soldier" data-source="post: 663164" data-attributes="member: 59377"><p>Thanks for your input <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p>Also by talking of a simple code injection on a remote process, if a malware wants to execute a custom function on a thread of the remote process, it can open the remote process, it can allocate a space for the custom function on the remote process writing the custom code on remote memory by calling CreateRemoteThread with the function address. If the custom code will use functions with different addresses, because it has been injected in a process with a different address space, the malware will write the entire image on the remote process, but first it needs to patch the relocation table, because when executables are compiled and linked, the PE Header contains an image base, an address space where the loader can load the image to execute. If this address space is not available, the loader reads the relocation table to know where it has to load the image and how to resolve all object code addresses.</p></blockquote><p></p>
[QUOTE="Winter Soldier, post: 663164, member: 59377"] Thanks for your input :) Also by talking of a simple code injection on a remote process, if a malware wants to execute a custom function on a thread of the remote process, it can open the remote process, it can allocate a space for the custom function on the remote process writing the custom code on remote memory by calling CreateRemoteThread with the function address. If the custom code will use functions with different addresses, because it has been injected in a process with a different address space, the malware will write the entire image on the remote process, but first it needs to patch the relocation table, because when executables are compiled and linked, the PE Header contains an image base, an address space where the loader can load the image to execute. If this address space is not available, the loader reads the relocation table to know where it has to load the image and how to resolve all object code addresses. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
