Category:Digital-Forensics/Computer-Forensics/Process-Replacement

From aldeid
Jump to navigation Jump to search
You are here
Process-Replacement

Description

Some malware modify legitimate processes to ensure they remain stealth and persistent.

Pseudo-code explaining process replacement: 

CreateProcess(...,"svchost.exe",...,CREATE_SUSPEND,...);
ZwUnmapViewOfSection(...);
VirtualAllocEx(...,ImageBase,SizeOfImage,...);
WriteProcessMemory(...,headers,...);
for (i=0; i < NumberOfSections; i++) {
    WriteProcessMemory(...,section,...);
}
SetThreadContext();
...
ResumeThread();

Pages in category "Digital-Forensics/Computer-Forensics/Process-Replacement"

The following 7 pages are in this category, out of 7 total.

C

R

S

V

W

Z

Retrieved from "https://www.aldeid.com/w/index.php?title=Category:Digital-Forensics/Computer-Forensics/Process-Replacement&oldid=27671"