The infector will point to the last section of the PE file and attempt to locate a code cave which is big enough to house the shellcode.

There is a limitation on potential targets which I did forget to mention. For this example, since the MessageBoxA function resides within user32.dll , it will only work if the target imports that DLL.

This code is Win32 only because it uses the WinAPI but conceptually it can theoretically be carried across over to Linux machines. IIRC, Both the PE and ELF binaries are derived from the COFF. I’m not 100% sure about this because I’m not familiar with the structure of the ELF so you’ll have to ask @0x00pf.