Process hollowing is a common technique that inject a code in a suspended process. This technic could be use by malware to avoid detection and inject the code into a legitimate process.
How it works
To use process hollowing, attackers uses the following API:
CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.
GetThreadContext: retrieves the context of the specified thread.
ZwUnmapViewOfSection: Unmaps a view of a section from the virtual address space of a subject process.
VirtualAllocEx: allocates memory within the suspended process’s address space.
WriteProcessMemory: writes data of the PE file into the memory just allocated within the suspended process.
SetThreadContext: sets the EAX register to the entry point of the executable written.
ResumeThread: resumes the thread of the suspended process.
1 def quickSort(arr): 2 less =  3 pivotList =  4 more =  5 if len(arr) <= 1: 6 return arr 7 else: 8 pass