EvasiveProcessHollowing

Evasive Process Hollowing PoC

Proof of concept code which demonstrate a few of the "evasive process hollowing" techniques analyzed in the white paper "What Malware Authors Don't want you to know - Evasive Hollow Process Injection" written by Monnappa K A. The PoC code can be used as a testbed to replicate the memory forensics findings discussed in the white paper.

The resource file "HollowProcessInjection.rc" has a hardcoded path to the executable that is to be injected. The RCDATA path must be changed to reflect the .exe location on the host machine.
1. Process Hollowing - Allocation in a different address and PEB modification w/ process hollowing

PoC: HollowProcessInjection1

2. Process Hollowing - Allocation in a different address and PEB modification w/o process hollowing

PoC: HollowProcessInjection2

3. Process Hollowing - Address of Entry point Modification w/ changing the Memory Protection to PAGE_EXECUTE_WRITECOPY

PoC: HollowProcessInjection3

The injected .exe for this technique has been converted into shellcode using Hasherezade's pe_to_shellcode tool.

Sources:

What Malware Authors Don't want you to know - Evasive Hollow Process Injection\ Process Hollowing - John Leitch\ Hasherezade - pe_to_shellcode

reevesrs24 / EvasiveProcessHollowing

readme

EvasiveProcessHollowing

1. Process Hollowing - Allocation in a different address and PEB modification w/ process hollowing

2. Process Hollowing - Allocation in a different address and PEB modification w/o process hollowing

3. Process Hollowing - Address of Entry point Modification w/ changing the Memory Protection to PAGE_EXECUTE_WRITECOPY

Sources: