Back in 2011 blogs (here, here, here) and papers (here, here, here, here) described a widely used Malware technique to hide malicious actions called: Process Hollowing. Nowadays we are experiencing some "flashbacks" to this delightful technique, so I decided to write a little bit about it, just in case someone needs a "refresh".
Process hollowing is a technique used by some malware in which a legitimate process is loaded on the system solely to act as a container for hostile code. At launch, the legitimate code is deallocated and replaced with malicious code.
|Process Hollowing (from here)|
The beauty of this technique is in the help given to malicious process to be hidden between conventional processes. But let's walk a little bit on the technique:
The Malware starts a legitimate process by using the CreateProcecess within CREATE_SUSPENDED flag enabled in the fdwCreate.
The process has been created and it's in suspended state. Now it's time to hollow the legitimate code from memory in the hosted process. We might use the following API (ZwUnmapViewOfSection).
The Malware then allocates memory for the new code by classically using VirtualAllocEx. The Malware should ensure the code is marked as writable and executable (by using flProtect).
Now it's time to write the malicious code into the hollow host process using the romantic WriteProcessMemory.
in order to camouflage the Malware, the author should re-set the normal pagination schema by setting Read/Execute protections like any other normal process by using VirtualProtectEx.
It should also set the remote context to point to the new code section. The SetThreatContext API has been used to reach the scope!
It's time to resume the suspended thread (ResumeThread) and "game over" !
We've just fired up a brand new (and potentially malicious) process!
Focusing on detection, it is going to be hard if using static signatures (such as AntiVirus romantic signatures) but having the possibility to dynamically analyse system calls (such as a sandboxed environment) the detection rate will increase drastically.