[email protected]
Opt Header
.text
.EntryPoint
.ImageBase
Section Data
.rdata .idata
a.exe
Process
PEB
PE
Module
ntdll.dll
VERSION.dll
user32.dll
...
LoadLibrary()
$PATH: {
"C:\hijack\VERSION.dll",
"System32\VERSION.dll",
"SysWoW64\VERSION.dll",
...
}
C:\hijack\a.exe
/?misc#3
• FireEye: DLL Side-Loading
• malware.dll + benignware.exe