Want to Join Us ?

you'll be able to discuss, share and send private messages.

Research PowerLoaderEx - Advanced Code Injection Technique for x32 / x64 by BreakingMalware

Discussion in 'Source Code' started by storm shadow, Sep 6, 2015.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer


    Original PowerLoader

    • Known since ~2013
    • Loader used in many different dropper families (Gapz / Redyms / Carberp / Vabushky ...)
    • First injection technique via Return Oriented Programming technique (ROP).
    • “explorer.exe” is injected using Shell_TrayWnd / NtQueueApcThread (32bit / 64bit)

    • Injection via shared desktop heap
    • Remove dependency in Explorer.exe shared sections (more generic)
    • Injection without reading memory from the target process
    • 32 and 64-bit versions (same technique)
    Tested Environments

    • Windows 7 32 and 64 bit.

    • BreakingMalware.com
    source https://github.com/BreakingMalware/PowerLoaderEx

    Attached Files:

    Rip Cord likes this.