User
Advanced
Verified_Protocol
windows

Windows Process Hollowing

"Mastering evasion techniques by injecting code into legitimate processes via Process Hollowing."

PopDocs Intel
May 20, 2024
2 MIN

Windows Process Hollowing (T1055.012)

Process Hollowing is a code injection technique where the executable logic of a legitimate process is replaced with arbitrary malicious code.

Technical Breakdown

  1. Process Creation: Start a legitimate process (like svchost.exe or explorer.exe) in a suspended state using CreateProcessA with the CREATE_SUSPENDED flag.
  2. **Unmapping Memory: Use ZwUnmapViewOfSectionorNtUnmapViewOfSection` to hollow out the original executable code from the process's memory space.
  3. Memory Allocation: Allocate new memory in the target process using VirtualAllocEx.
  4. Code Injection: Write the malicious payload into the newly allocated space with WriteProcessMemory.
  5. Entry Point Hijacking: Adjust the thread context (SetThreadContext) to point to the new entry point.
  6. Resuming Execution: Resume the process using ResumeThread.

Lab Scenario: Hollowing svchost.exe

In this lab, we will use a custom C++ loader to hollow out a suspended instance of svchost.exe.

Step 1: Create Suspended Process

cpp
STARTUPINFOA si;
PROCESS_INFORMATION pi;
CreateProcessA(NULL, (LPSTR)"svchost.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

Step 2: Unmap Original Executable

We need to query the base address of the image from the PEB (Process Environment Block).

Step 3: Inject Payload

Ensure the base address and relocations are handled correctly if the payload isn't position-independent.

Defensive Perspective

Evasion-focused EDRs look for:

  • Processes created with CREATE_SUSPENDED.
  • Use of NtUnmapViewOfSection followed by VirtualAllocEx with PAGE_EXECUTE_READWRITE.
  • Inconsistencies between the PEB and the actual resident image.
End_Of_Protocol
EOF_0xE1B9FF.0D0B845