Skip to content

Latest commit

 

History

History
25 lines (17 loc) · 2.26 KB

process-hollowing.md

File metadata and controls

25 lines (17 loc) · 2.26 KB
description
06-21-2023

🕳 Process Hollowing

Introduction

This technique occurs when malware unmaps (hollows out) the legitimate code from memory of the target process.

It then overwrites the memory space of the target process with a malicious executable.

High Level Explanation

  1. Suspended state CreateProcess()
  2. Waits for ResumeThread()
  3. Swaps out contents of the legitimate file with the malicious payload with ZwUnmapViewOfSection() or NtUnmapViewOfSection() "If the call to this function occurs in user mode, you should use the name "NtUnmapViewOfSection" instead of "ZwUnmapViewOfSection"."
  4. LLoader then perfoms VirtualAllocEx() to allocate new memory for the malware
  5. WriteProcessMemory() will write each of the malware's sections to the swapped out target process space
  6. The entrypoint for the malicious code is set with SetThreadContext()
  7. The malware then resumes the thread with ResumeThread() to take it out of the suspended state

CreateProcess() -> ResumeThread() -> Zw/NtUnmapViewOfSection() -> VirtualAllocEx() -> WriteProcessMemory() -> SetThreadContext() -> ResumeThread()

Work in progress.