Skip to content

Latest commit

 

History

History
24 lines (18 loc) · 1.28 KB

README.md

File metadata and controls

24 lines (18 loc) · 1.28 KB

RelocAlloc: Using .reloc section to replace the typical allocation calls


Explaining the code:

  • We first, locate the addresses of all the dlls mapped to our process.
  • We then construct an array of structs and we fill it up with some data, thats Initialize() function.
  • Now, we have a full array, next step is to search for the right address.
  • calling GetSuitableAddress(SIZE_T ShellcodeSize) will do the job; thats finding us the right code cave (empty place in memory, fitting the shellcode size)
  • in case it is found it will be returned.
  • to use it we must adjust memory protection to be writable/executable ... (the poc is directly rwx)

Demo:

img1 img2

Note: this only work with small shellcodes, bcz it depends on the dlls mapped, the bigger the .reloc section, the bigger chances of getting a valid address. In addition, this is tested only on a x64 machine, but it should work for x86 (i think :p)



# STAY TUNED FOR MORE
![120064592-a5c83480-c075-11eb-89c1-78732ecaf8d3](https://gitlab.com/ORCA666/kcthijack/-/raw/main/images/PP.png)