Skip to content

hasherezade/module_overloading

master
Switch branches/tags
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

Module Overloading

Build status

A PoC based on the ideas of thewover (twitter @TheRealWover): https://twitter.com/TheRealWover/status/1193284444687392768?s=20 + my own experiments

Using: libpeconv.

Characteristics:

  • Payload mapped as MEM_IMAGE, impersonating a legitimate DLL (image linked to a file on the disk)
  • Sections mapped with original access rights (no RWX)
  • Not connected* to the list of modules (invisible for Module32First/Module32Next)
    • may be connected if the 'classic DLL hollowing' was selected
  • Only self-injection supported

Demo:

demo_view

Clone:

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/module_overloading.git

About

A more stealthy variant of "DLL hollowing"

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published