HeaderLessPE: memory PE loading technique
HeaderLessPE is a memory PE loading technique used by the Icedid Trojan. Based on this technology, we propose a new way of file-less attack using HVNC. This enhancement allows to inject HeaderLessPE to execute graphical hacking tools without limitations. Compared to other in-memory loading techniques like MemDll, the extended HeaderLessPE has two advantages:
- Avoids the traditional DOS and PE headers IOC The DOS header and PE header are often focal points for memory scanning, requiring the use of a Profile file to erase the loaded Beacon header when using Cobalt Strike. With HeaderLessPE, you don’t need to worry about this issue.
- Supports relocation and import tables, making it easy to convert EXEs into HeaderLessPE structures As long as it supports relocation and does not include structures such as Tls and delay import, it can be converted into HeaderLessPE. This can be used not only for creating Trojan memory modules but also for conveniently converting some hacking tools into HeaderLessPE for in-memory loading and execution, expanding the available attack tools.
tools.exe -i “desktop_name” c:\windows\system32\mspaint.exe loader.exe BrowsingHistoryView.exe
This will run the BrowsingHistoryView tool without a file on the desktop_name desktop.