Process Hollowing

• Overview: Process Hollowing is a specific and relatively sophisticated code injection technique used to hide malicious code inside the virtual address space of a legitimate process, making it appear as though only the legitimate process is running.

• Mechanism:

  1. Create Suspended Process: The attacker starts a new instance of a legitimate, trusted Windows process (e.g., svchost.exe, explorer.exe, notepad.exe) but creates it in a suspended state using the CREATE_SUSPENDED flag with CreateProcess.

  2. Unmap Legitimate Code: The memory region containing the original, legitimate code of the suspended process is then forcibly unmapped or deallocated using functions like NtUnmapViewOfSection or ZwUnmapViewOfSection. This "hollows out" the process's address space.

  3. Allocate New Memory: New memory is allocated within the now-empty address space of the hollowed process using VirtualAllocEx.

  4. Inject Malicious Code: The attacker's malicious code (which must be a full PE executable, often packed) is written into this newly allocated memory region using WriteProcessMemory.

  5. Redirect Execution: The execution context of the primary thread of the suspended process is modified (using GetThreadContext and SetThreadContext) so that its instruction pointer (e.g., RIP/EIP register) points to the entry point of the injected malicious code instead of the original process's entry point.

  6. Resume Process: The suspended process is finally resumed using ResumeThread. It now begins executing the malicious code, but from the operating system's perspective (and in tools like Task Manager), it still appears to be the original legitimate process (e.g., svchost.exe).

• Why Cheaters Use It: Primarily for stealth and evasion. It effectively masks the presence of the malicious executable (the cheat) by running it under the identity of a trusted system process. This can bypass process whitelisting, simple process monitoring, and make the cheat harder to spot in a running process list.

• Detection: Detecting process hollowing typically requires memory analysis or advanced behavioral monitoring: Note: To make a Process Hollow you need an executable file that hollows another. Obviously, the easiest way to prove a process hollow is to prove that an exe serving as a hollower has been started. If that exe was started via Fileless Injection, then proving it via the detect method of fileless injection is the way

  • Memory Analysis (Volatility): Plugins like hollowfind are specifically designed to detect common indicators of process hollowing, such as discrepancies between the process listed in the PEB (Process Environment Block) and the actual code found in memory, or identifying processes with unmapped executable sections. malfind might also flag the injected code region.

  • Process Memory Inspection (System Informer): Compare the process path listed in System Informer with the actual modules and memory content. Finding executable code in private memory regions that doesn't correspond to the legitimate modules of the host process is indicative. The absence of the original process's main module in the loaded modules list might also be a clue.

  • Prefetch Anomaly: As mentioned previously, sometimes process hollowing can result in the Prefetch entry for the host process having an empty or missing "Executable Path" field in tools like WinPrefetchView.

  • Kernel Live Dump: Analyzing strings in a kernel dump might reveal traces left by the tool or script used to perform the hollowing process itself (e.g., API calls related to process creation, unmapping, and context modification). Specifically searching the dump keywords present in commands, has been noted as potentially correlating with certain hollowing tools or techniques.