Module Overloading Save

A more stealthy variant of "DLL hollowing"

Project README

Module Overloading

A PoC based on the ideas of thewover (twitter @TheRealWover): https://twitter.com/TheRealWover/status/1193284444687392768?s=20 + my own experiments

Using: libpeconv.

Characteristics:

Payload mapped as MEM_IMAGE, impersonating a legitimate DLL (image linked to a file on the disk)
Sections mapped with original access rights (no RWX)
Not connected* to the list of modules (invisible for Module32First/Module32Next)
- may be connected if the 'classic DLL hollowing' was selected
Only self-injection supported

Demo:

demo_view

Clone:

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/module_overloading.git

Open Source Agenda is not affiliated with "Module Overloading" Project. README Source: hasherezade/module_overloading

Stars

331

Open Issues

Last Commit

1 month ago

Repository

hasherezade/module_overloading

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/module-overloading"><img src="https://www.opensourceagenda.com/projects/module-overloading/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022