search

hasherezade / transacted_hollowing

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
MIT License
519 stars 74 forks source link

Why transacted hollowing doesn't need to do image relocation? #3

Closed EddieIvan01 closed 2 years ago

EddieIvan01 commented 2 years ago

Hello hasherezade

https://github.com/hasherezade/transacted_hollowing/blob/main/main.cpp#L60 https://github.com/m0n0ph1/Process-Hollowing/blob/master/sourcecode/ProcessHollowing/ProcessHollowing.cpp#L162

I wonder why it is different with Process Hollowing (which needs to do relocation)

hasherezade commented 2 years ago

hi! The reason is, in Transacted Hollowing the payload is mapped as IMAGE - it means the native functions are aware of its PE header, and can make a use out of it. If it has a relocation table, it will be recognized, and the image is going to be automatically relocated. First, NtMapViewOfSection will try to map it at its original base, that is set in the header. If it was impossible, the image is still mapped, but on a different base - the status STATUS_IMAGE_NOT_AT_BASE informs about it. In such case, the image that has a valid import table, will be automatically relocated on ResumeThread.

EddieIvan01 commented 2 years ago

Got it, thx!