Process Hollowing involves the execution of custom arbitrary code within the memory space of a legitimate process
- The target process is created with the suspended flag
- PBI is acquired using NtQueryInformationProcess
- Memory gets allocated for the new image base (RWX gets picked up by defender)
- Original code is unmapped
- Shellcode is written to the allocated memory space
- Image base is rewritten using the PBI and the offset of 0x10
- A new thread is created at entry point
- Execution is resumed so everything is ran in the context of the legit process
- Clean up
- Either build the exe
or get it from releasesflagged as malware - Create paths.txt in the same directory as the exe
- Enter the paths to your executables
- If you wish to hardcode the shellcode, do what the comment says
- Clone the repo and hardcode your shellcode in
hdr/shellcode.h
- You can get the shellcode using the provided shellcode converter
- If you wish to merge these 2 solutions, go ahead and open a pull request
- If you wish to learn more about this technique you should check these out:
You can find my Discord here
- Subsystems of both executables should be matching
- If you tweak this enough it will bypass most UM anticheats
- This is for EDUCATIONAL PURPOSES ONLY