VectoredOverloading

Vectored Overloading is a local PE injection technique that was first observed in the KidKadi malware.

It works by manipulating the load of a legitimate DLL using Hardware Breakpoints (HWBP) and Vectored Exception Handling (VEH) to change the DLL section object on-the-fly.

Essentially, the technique does the following:

• Creates a SEC_IMAGE mapping from a legitimate DLL (e.g. wmp.dll)
• Maps a payload PE over this image memory
• Sets its entrypoint to 0 and forces the DLL flag in the FileHeader->Characteristics field
• Sets a HWBP on NtOpenSection & loads any legitimate DLL
• When the Windows loader calls NtOpenSection, the VEH emulates the syscall by skipping it and replacing the OUT parameters, so that section object is now that of the payload. The VEH also sets a new HWBP on NtMapViewOfSection
• The loader tries to map the section into memory and then triggers the VEH on NtMapViewOfSection
• The VEH replaces the OUT parameters of the syscall and skips its execution, emulating a mapping of the malicious PE's view
• The loading proceeds and the Windows loader now takes care of handling imports and further processing of the malicious PE image
• The entrypoint is invoked, executing the payload

For a more detailed analysis, please refer to our blogpost: