all InfoSec news
Rebuilding a PE File From Memory
Malware Analysis, News and Indicators - Latest topics malware.news
Malware often extracts an embedded PE (Portable Executable) file from within itself, and either overwrites its original process image, or starts and overwrites a new process (process hollowing), with the embedded image. What if you want to save a copy of this extracted PE file so that you can analyse it using something other than the debugger that you were running the sample in?
While looking at Tofsee I noticed that it extracted an embedded PE file and overwrote its …
can copy embedded file hollowing image malware malware analysis memory portable portable executable process process hollowing using