Skip to content
Reverse Engineering
Code Injectionadvanced

Process Hollowing

Spawning a legitimate process in a suspended state, unmapping its image and replacing it with malicious code before resuming — runs malware under a trusted process name.

Process hollowing (a.k.a. RunPE) launches a benign process suspended, carves out its mapped image, writes a malicious PE in its place, fixes the entry point, and resumes the thread — so malicious code executes under the identity of a trusted binary such as svchost.exe.

Typical call sequence

text
CreateProcess(..., CREATE_SUSPENDED, ...)
NtUnmapViewOfSection(hProcess, imageBase)
VirtualAllocEx(hProcess, imageBase, sizeOfImage, ...)
WriteProcessMemory(hProcess, imageBase, payload, ...)
SetThreadContext(hThread, ctxWithNewEntry)   ; patch RCX/EAX entrypoint
ResumeThread(hThread)

Detection & analysis

  • The mismatch between the on-disk image and the in-memory image of a process is the classic tell — tools like Moneta and pe-sieve flag it.
  • Watch for CREATE_SUSPENDED followed by NtUnmapViewOfSection + WriteProcessMemory + SetThreadContext against the same handle.
  • Compare PEB->ImageBaseAddress and the section's backing file.
Votes

Comments(0)