Process Hollowing

shashank Jain
4 min readJul 8, 2018

In continuation of the possible attack vectors, we digress a bit from shell code execution via buffer overflows (https://medium.com/@jain.sm/shell-code-exploit-with-buffer-overflow-8d78cc11f89b)and instead discuss an interesting attack technique called process hollowing

Before we start a basic introduction of the Process Executable file (PE) is important. A process executable file is the file which is what the windows loader program loads to execute the process. This file is basically constituting of headers and sections. We won’t go over all details of PE file here, but to understand a bit , this is the layout of the PE file.

The PE header is made of PE File Header and PE Optional Headers. The File header states the number of sections (text, data, bss, rsrc) while the optional header also constitutes an important member which points to the starting point of the program called AddressOfEntryPoint

The basic idea of process hollowing is to have a running process whose memory is unmapped and replaced by other executable. This is a technique used by malwares where they start a normal process (say svchost.exe) and then replace the content of the process with malicious code. The idea is that the admin if he/she looks into the process explorer, they would not see the malicious process but the actual process (svchost), but infact the malicious code is running under its façade.

There are techniques to detect this anomaly via memory forensics using tools like volatility.

--

--