# Process Hollowing Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and this inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. **Example** In easy terms to understand this technique is let us imagine this is a piece of code that runs the famous calculator. B8F73405B620443B4325B0943287B9R This code is the one responsible for executing the calc.exe binary in windows In process hollowing we are trying to suspend the process, carve out a piece of code and insert our own and have it execute. Now let's say this code is the one that runs our payload (Hello World). AHIUDSGHIODSH Now we want to insert this code into our calculator process. So the technique will simply grab: B8F73405B620443B4325B0943287B9R Remove some code B8F7340\287B9R And inject our payload B8F7340**AHIUDSGHIODSH**287B9R In the following Demo the technique will execute svchost, suspend it and inject a hello world binary onto the process, in the code the path to the binary is in the working directory so both are placed in the same directory. **Demo:** ![](/files/-MRkBkQQP8ZNpqlnXnN2) References: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1055-process-injection/process-hollowing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.