I've recently become interested in reflective code injection and its big brother process hollowing. In both an executable image is loaded into a host process's address space, and I keep hearing that it is usually necessary to "rebase" the loaded executable once it is copied to a host process's address space. Correct me if I'm wrong but the values in the loaded image pertaining to its actual location in a host process's address space need to reflect (no pun intended) its actual position in the host process's address space, yes?
I hear this requires parsing the relocation directory and some values such as the ImageBase value in the PE Optional Header of the PE (executable) file, but I am not quite certain as to what parsing the relocation directory does nor how to do it nor am I sure of what specific values need to be modified in the loaded executable to rebase it.
So I know why we rebase, I just would like someone to outline the process of fully rebasing an executable when it is reflectively loaded into a host proceess's address space.
Aucun commentaire:
Enregistrer un commentaire