Windows Process Hollowing
"Mastering evasion techniques by injecting code into legitimate processes via Process Hollowing."
Windows Process Hollowing (T1055.012)
Process Hollowing is a code injection technique where the executable logic of a legitimate process is replaced with arbitrary malicious code.
Technical Breakdown
- Process Creation: Start a legitimate process (like
svchost.exeorexplorer.exe) in a suspended state usingCreateProcessAwith theCREATE_SUSPENDEDflag. - **Unmapping Memory
: UseZwUnmapViewOfSectionorNtUnmapViewOfSection` to hollow out the original executable code from the process's memory space. - Memory Allocation: Allocate new memory in the target process using
VirtualAllocEx. - Code Injection: Write the malicious payload into the newly allocated space with
WriteProcessMemory. - Entry Point Hijacking: Adjust the thread context (
SetThreadContext) to point to the new entry point. - Resuming Execution: Resume the process using
ResumeThread.
Lab Scenario: Hollowing svchost.exe
In this lab, we will use a custom C++ loader to hollow out a suspended instance of svchost.exe.
Step 1: Create Suspended Process
STARTUPINFOA si;
PROCESS_INFORMATION pi;
CreateProcessA(NULL, (LPSTR)"svchost.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
Step 2: Unmap Original Executable
We need to query the base address of the image from the PEB (Process Environment Block).
Step 3: Inject Payload
Ensure the base address and relocations are handled correctly if the payload isn't position-independent.
Defensive Perspective
Evasion-focused EDRs look for:
- Processes created with
CREATE_SUSPENDED. - Use of
NtUnmapViewOfSectionfollowed byVirtualAllocExwithPAGE_EXECUTE_READWRITE. - Inconsistencies between the PEB and the actual resident image.