Process Hollowing
Last updated
Last updated
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.
This is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and this inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.
Example
In easy terms to understand this technique is let us imagine this is a piece of code that runs the famous calculator.
B8F73405B620443B4325B0943287B9R
This code is the one responsible for executing the calc.exe binary in windows In process hollowing we are trying to suspend the process, carve out a piece of code and insert our own and have it execute. Now let's say this code is the one that runs our payload (Hello World).
AHIUDSGHIODSH
Now we want to insert this code into our calculator process. So the technique will simply grab:
B8F73405B620443B4325B0943287B9R
Remove some code
B8F7340<EMPTY>287B9R
And inject our payload
B8F7340AHIUDSGHIODSH287B9R
In the following Demo the technique will execute svchost, suspend it and inject a hello world binary onto the process, in the code the path to the binary is in the working directory so both are placed in the same directory.
Demo:
References: