1. [Zer0Mem0ry's example](https://github.com/Zer0Mem0ry/RunPE/blob/master/RunPE.cpp) differs from mine in that the process hollowing program injects ITSELF with the malicious memory. In this example also, the malicious program is never stored on or read off the disk. Instead, its [shellcode](https://github.com/hasherezade/pe_to_shellcode) is stored in the code of the RunPE program before compilation. This has the benefit of avoiding signature detection of the malicious file. Combined with obfuscation and/or packing, the malicious data may never see itself on the disk in a readable format and offers potentially better antivirus evasion. If having everything in the same file but still injecting ANOTHER process is important to you, feel free to combine these methods and replace the components of mine that read the data from the malicious file on disk into memory, with theirs.
0 commit comments