Giters

febinrev / EvasiveProcessHollowing

Evasive Process Hollowing Techniques

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

EvasiveProcessHollowing

Evasive Process Hollowing PoC

Proof of concept code which demonstrate a few of the "evasive process hollowing" techniques analyzed in the white paper "What Malware Authors Don't want you to know - Evasive Hollow Process Injection" written by Monnappa K A. The PoC code can be used as a testbed to replicate the memory forensics findings discussed in the white paper.

  • The resource file "HollowProcessInjection.rc" has a hardcoded path to the executable that is to be injected. The RCDATA path must be changed to reflect the .exe location on the host machine.

1. Process Hollowing - Allocation in a different address and PEB modification w/ process hollowing

PoC: HollowProcessInjection1

2. Process Hollowing - Allocation in a different address and PEB modification w/o process hollowing

PoC: HollowProcessInjection2

3. Process Hollowing - Address of Entry point Modification w/ changing the Memory Protection to PAGE_EXECUTE_WRITECOPY

PoC: HollowProcessInjection3

  • The injected .exe for this technique has been converted into shellcode using Hasherezade's pe_to_shellcode tool.

Sources:

What Malware Authors Don't want you to know - Evasive Hollow Process Injection
Process Hollowing - John Leitch
Hasherezade - pe_to_shellcode

About

Evasive Process Hollowing Techniques

Languages

Language:C 60.1%Language:C++ 39.9%