.Hello!
I was wondering lately if anyone actually worked on the engine that produces relocation data based on data in PE code section. Let me straighten out what I'm driving at.
Let's imagine we want to modify the code of some application while it's running and we have a problem, because there is a code modification detection engine implemented in it that we cannot bypass. The idea to modify the application code would be to duplicate the code section to another memory space and redirect the execution to it while the code modification detection engine still would be checking the old legitimate code section for changes. With the code section duplicated we can freely modify it's contents as we wish without having to worry about being detected.
There is a catch of course, because I believe this approach is extremely hard to achieve as only dll files are supplied with relocation table section that allows the PE loader to map the code into any address space by adding the base address difference to any absolute or relative memory reference.
My question is if anyone has written any papers on this subject already?
Regards,
Black Dot
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}