Execution Engine

The loader supports two execution methods depending on payload type:

RunPE (Process Hollowing)

For PE executables, the loader uses Process Hollowing to run the EXE in a new process without writing to disk.

Creates suspended process from current executable
Unmaps original image via NtUnmapViewOfSection
Allocates memory at preferred or alternate base
Writes headers and sections to remote process
Processes relocations and resolves imports
Updates PEB with new image base
Resumes thread with new entry point

Shellcode Execution

For raw shellcode, the loader allocates RWX memory and creates a thread.

                            // Auto-detects payload type

if (Downloader::IsPortableExecutable(data)) {

    Downloader::ExecutePEInNewProcess(data);

} else {

    Downloader::ExecuteFromMemory(data);

}