Summary
In this chapter, we explained how the application loader is executed through the IAT in the PE structure and explained in detail the various fields in the IAT. We also learned about attacks such as directly calling programs in memory, IAT hijacking, and DLL side-loading. These techniques are often used by attackers to develop deshells, fileless attacks, and staged payloads to escalate privileges, bypass antivirus software, or hide backdoors. By understanding how these techniques work, you will be able to develop techniques for red team testing or blue team defending in the future.
In the next chapter, we will look at a more in-depth question: what if the PE binary cannot be placed in the memory location (image base) desired by the compiler? The redirection design of the PE module can help! Simply apply the redirection correction, which will allow us to place the PE module on any image base that is not assumed by the compiler. Therefore, in the next chapter, we will be able...
