I'm trying to reverse engineer a malware which uses a Process Hollow technique. This malware uses an API hashing technique and contains some RC4 encryption algorithm references.
I already knew the entry point of the resumed thread and dumped it out but IDA failed to analyze the dumped code.
What should I do?
Solution:
After dumping the injected code I have to fix the alignment of the file. According to https://reverseengineering.stackexchange.com/a/21932/36056
In IDA, the final address is calculated by (base << 4) + offset so I have to set the loading segment to 0 and the loading offset to the BaseAddr of injected code
Defeat dynamic resolving to lable APIs in IDA:
I set a bp on GetProcAddress to build a table of APIs and then use a tool called apiscout https://github.com/danielplohmann/apiscout to dynamically resolve all APIs in IDA
