Process hollowing

From Unprotect Project
Revision as of 21:32, 6 November 2016 by Admin (talk | contribs) (How it works)

Jump to: navigation, search

Process hollowing is a common technique that inject a code in a suspended process. This technic could be use by malware to avoid detection and inject the code into a legitimate process.

How it works

To use process hollowing, attackers uses the following API:

CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.

  • GetThreadContext: retrieves the context of the specified thread.
  • ZwUnmapViewOfSection: Unmaps a view of a section from the virtual address space of a subject process.
  • VirtualAllocEx: allocates memory within the suspended process’s address space.
  • WriteProcessMemory: writes data of the PE file into the memory just allocated within the suspended process.
  • SetThreadContext: sets the EAX register to the entry point of the executable written.
  • ResumeThread: resumes the thread of the suspended process.
1 def quickSort(arr):
2 	less = []
3 	pivotList = []
4 	more = []
5 	if len(arr) <= 1:
6 		return arr
7 	else:
8 		pass