Hi there =)
If i'm not mistaken PE image by default considered to be contiguous in memory. All of its sections in memory are one after each other aligned on page boundaries.
So i'm curious: is it possible theoretically to relocate PE image in memory in such a way that its sections are NOT contiguous in memory? That means manual mapping of sections to different regions of memory and then applying some custom fixups. Would such custom-relocated-image maintain its working state after such operations?
I understand that this question may sound as super stupid. Maybe i missed something in PE specification or in implementation of Windows API that work with PE, but i have not found anything that could absolutely prevent this from working.
Any thoughts on this? Could this 'technique' be considered as anti-dump / anti-forensics? Thanks.
If i'm not mistaken PE image by default considered to be contiguous in memory. All of its sections in memory are one after each other aligned on page boundaries.
So i'm curious: is it possible theoretically to relocate PE image in memory in such a way that its sections are NOT contiguous in memory? That means manual mapping of sections to different regions of memory and then applying some custom fixups. Would such custom-relocated-image maintain its working state after such operations?
I understand that this question may sound as super stupid. Maybe i missed something in PE specification or in implementation of Windows API that work with PE, but i have not found anything that could absolutely prevent this from working.
Any thoughts on this? Could this 'technique' be considered as anti-dump / anti-forensics? Thanks.