Working

  • Create a legitimate process in suspended state.
  • Retrieve thread context of this process.
  • Unmap sections of the target process.
  • Inject a malicious PE file from disk and over-write the sections of this process’ memory.
  • Relocate if the base address of the injected PE file differs from the suspended process.
  • Set new entry-point using thread context.