RunPE attack replaces the actual load module when the process is created and before it starts to execute. The attacker suspend the process during CreateProcess call, locate the load module load address via PEB and rewrite it to point to the malicious code that has already mapped into the address space. It then fixes up the thread context and resume the process so that the malicious code hijacked the process.
No comments:
Post a Comment