A reminder that we should add a generic function for safely cleaning manually mapped or overloaded modules from memory after they are no longer necessary. For overloaded modules, the section should be unmapped. For manually mapped modules (in dynamic memory), they can be freed with NtFreeVirtualMemory. This will require editing the data structures to include the modules range in memory and a handle to the Section for overloaded modules.
Make sure and update the Mimikatz loader to use this, since a copy of mimikatz floating in memory is quite suspicious.
A reminder that we should add a generic function for safely cleaning manually mapped or overloaded modules from memory after they are no longer necessary. For overloaded modules, the section should be unmapped. For manually mapped modules (in dynamic memory), they can be freed with NtFreeVirtualMemory. This will require editing the data structures to include the modules range in memory and a handle to the Section for overloaded modules.
Make sure and update the Mimikatz loader to use this, since a copy of mimikatz floating in memory is quite suspicious.