Skip to content
This repository has been archived by the owner on Jun 20, 2023. It is now read-only.

Process hollowing #10

Open
holly-hacker opened this issue Mar 8, 2018 · 4 comments
Open

Process hollowing #10

holly-hacker opened this issue Mar 8, 2018 · 4 comments
Labels
feature New features or modules

Comments

@holly-hacker
Copy link
Owner

holly-hacker commented Mar 8, 2018
edited
Loading

I've seen this in practice before. Hollowing an external or the own process would be a neat packer. For more see this.

EDIT: This seems to be called RunPE.
@holly-hacker holly-hacker added the feature New features or modules label Mar 8, 2018
@holly-hacker
Copy link
Owner Author

See this crackme for a practical implementation.

@roachadam
Copy link

while a neat concept, it's very easy to dump so it wouldn't be much of a protection. Not to mention it would be flagged by any half-decent anti malware software, as it's often used to disguise malware.

@holly-hacker
Copy link
Owner Author

Any packer can easily be dumped, there is separate protection for that, and it's true that this would possible be detected by anti-malware software, but you run that risk regardless when you obfuscate your software.

This wouldn't be very practical for most applications, but it just seems like a fun thing to implement nonetheless.

@owersite
Copy link

Process Hallowing is useless.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature New features or modules
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@holly-hacker @roachadam @owersite