A PoC based on the ideas of thewover (twitter @TheRealWover): https://twitter.com/TheRealWover/status/1193284444687392768?s=20 + my own experiments
Using: libpeconv.
- Payload mapped as
MEM_IMAGE
, impersonating a legitimate DLL (image linked to a file on the disk) - Sections mapped with original access rights (no
RWX
) - Not connected* to the list of modules (invisible for
Module32First
/Module32Next
)- may be connected if the 'classic DLL hollowing' was selected
- Only self-injection supported
Use recursive clone to get the repo together with all the submodules:
git clone --recursive https://github.com/hasherezade/module_overloading.git