Process Hollowing - PoC Demonstration
Process hollowing is a well-established technique in the Process Image Modification class of malware development and AV/EDR evasion. First observed in the wild around 2011, it remains a relevant and effective method for executing malicious code under the guise of a benign process.
For this proof of concept, I used the C programming language and leveraged several native Windows Nt* API functions to perform the process hollowing.
This video demonstrates a complete process hollowing flow using a custom executable.
The demonstration begins with the ProcessHollow.exe binary being downloaded and executed. In this PoC, notepad.exe is used as the hollowed target, and popup.exe serves as the malicious payload.
A new notepad.exe process is launched and successfully created with PID 8680. Using Process Hacker, the process is inspected to confirm that its modules and memory layout appear normal prior to hollowing.
The hollowing process then resumes, triggering the following sequence:
Identify the image base address of the target process
Unmap the target's original PE image
Create a section from the popup.exe payload
Map a view of the section into the current (injector) process
Extract the preferred image base from the payload’s PE header
Update the target process’s image base to match the payload’s preferred base
Set the new entry point in the target process
Map the section into the target process’s memory
After these steps are completed, the target process is once again inspected in Process Hacker. The original notepad.exe image is no longer present, and popup.exe now appears as the loaded image. The memory map confirms that the payload has been successfully injected, with all PE sections correctly placed at the appropriate addresses.
Finally, the process is resumed via the command prompt. The popup window appears as expected, while Task Manager still shows notepad.exe as the running process, demonstrating successful process hollowing and evasion of visual indicators.
Disclaimer:
This proof of concept was developed and executed strictly within a controlled lab environment for research purposes only. Process hollowing is a powerful technique that can be abused maliciously, and this post is intended to support defensive research, threat detection, and ethical red team operations. Always follow your local laws and organisational policies when conducting security research.
Видео Process Hollowing - PoC Demonstration канала MalDevTy
For this proof of concept, I used the C programming language and leveraged several native Windows Nt* API functions to perform the process hollowing.
This video demonstrates a complete process hollowing flow using a custom executable.
The demonstration begins with the ProcessHollow.exe binary being downloaded and executed. In this PoC, notepad.exe is used as the hollowed target, and popup.exe serves as the malicious payload.
A new notepad.exe process is launched and successfully created with PID 8680. Using Process Hacker, the process is inspected to confirm that its modules and memory layout appear normal prior to hollowing.
The hollowing process then resumes, triggering the following sequence:
Identify the image base address of the target process
Unmap the target's original PE image
Create a section from the popup.exe payload
Map a view of the section into the current (injector) process
Extract the preferred image base from the payload’s PE header
Update the target process’s image base to match the payload’s preferred base
Set the new entry point in the target process
Map the section into the target process’s memory
After these steps are completed, the target process is once again inspected in Process Hacker. The original notepad.exe image is no longer present, and popup.exe now appears as the loaded image. The memory map confirms that the payload has been successfully injected, with all PE sections correctly placed at the appropriate addresses.
Finally, the process is resumed via the command prompt. The popup window appears as expected, while Task Manager still shows notepad.exe as the running process, demonstrating successful process hollowing and evasion of visual indicators.
Disclaimer:
This proof of concept was developed and executed strictly within a controlled lab environment for research purposes only. Process hollowing is a powerful technique that can be abused maliciously, and this post is intended to support defensive research, threat detection, and ethical red team operations. Always follow your local laws and organisational policies when conducting security research.
Видео Process Hollowing - PoC Demonstration канала MalDevTy
Комментарии отсутствуют
Информация о видео
15 июля 2025 г. 17:18:01
00:02:02
Другие видео канала
