Process Hollowing

Process Hollowing is the technique of executing malicious code, in a running legitimate process to avoid detection by process-based defenses. The Malware launcher will create a legitimate process (e.g. calc.exe), suspended the process, hollow out the executable’s image in its memory and inject malicious code into that virtual memory space of the legitimate process.

This is a simple informative tutorial in how Process Hollowing works. Using a Process Hollowing tool, I will run a legitimate process, suspend that process and hollow out its memory, replacing it with a simple piece of code. Using a debugger I will find this code and reverse it back to an understandable format.

Payload

To keep this as simple and as basic as I can, the code im going to inject is a simple MessageBox created with a 32bit compiler, the binary I called “Payload”.

Process Hollowing Tool

Im going to use a process hollowing tool to inject the code, this tool will tell me what process will be used, process PID, ImageBase (start of the exe file ) address, size, allocated memory, where each section is injected too and the entry point (where code execution starts).

I start the application and point to my Payload binary.

I instantly get all the information I need. The process being injected into is the calculator (calc.exe) process which is a standard windows process. The PID is 12636, the PED is 0x53e000, the image base address is 700000. The entry point is 0x7014e0.

Now my code has been successfully been injected my next task is to find it and to do that I have to find its assembly addresses.

Finding the Injected code.

My injected code wont have any information such as Strings or Windows API function information, it will be bare assembly addresses. I have to reverse my payload binary first in the Snowman Decompiler to get these address.