I have been learning and implementing Process Hollowing attacks, and even after I got the thing work, I have some questions.
Why aren't we building the IAT when we load our injected PE? All we do is copy the headers and the sections, fix reallocations (if there is a need in some) but never touching the IAT. I don't understand why it works.
In case we UnMap the victim process from its image base, suppose
0x40000, we can't allocate this base address again, we getINVALID_ADDRESSerror. This works with any other address, or in cases which the two image bases differ. I found a mention in some blog but no explanation.
- The malicious exe is dynamically linked and does not use bound imports as you may think
- Other checks that I performed:
- If I debug the victim process along the way, I get an access violation because of the not build IAT (sound reasonable)
- If I debug the program after the injection happened successfully, the IAT is built and the malicious exe runs without problems.
I assume that there is some code that I'm missing that builds the IAT at runtime, or it's something that happens from the OS scope.
