So I've recently become interested in reflective PE injection, more specifically EXE injection. I initially made two assumptions from the code I read.
- There is no way to pass parameters (arguments) to the injected EXEs.
- There is no way to create a reflective filesystem in memory for injected EXEs to load files from.
Then I found this; https://github.com/dismantl/ImprovedReflectiveDLLInjection
Which describes using a piece of bootstrap code to pass arguments to a reflectively loaded PE.
I immediately became curious; the possibility of an in-memory filesystem for reflectively loaded EXEs teased me further.
What I want is for an area of process memory (the host process for the injection) to act as a minimal filesystem for reflectively loaded EXEs to load files from. Sounds like a ramdisk you say? In all reality it could be considered one, but this is not what I want. I know how to implement a ramdisk programmatically using the ImDisk API and driver. What I want is for the injected EXE to consider a region of the host process's memory as a/the filesystem, to make it believe that, say, the current directory is actually a minimal filesystem stored in the host process's memory.
Is this possible? Perhaps modifying or adding to the mentioned bootstrap code?
Aucun commentaire:
Enregistrer un commentaire