CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass

Friday, May 22, 2026

Process Hollowing Explained: How Malware Hides in Trusted Processes

 Process Hollowing

Process hollowing (also called RunPE) is a technique used in malware and offensive security in which a legitimate process is created in a suspended state, its memory is replaced (or “hollowed out”) with malicious code, and execution is then resumed so the malicious code runs under the guise of a trusted process.

Below is a detailed but safe, high-level explanation of how it works, why attackers use it, and how it’s detected.

What Process Hollowing is

Process hollowing is a code injection/evasion technique that allows attackers to:

  • Run malicious code inside a legitimate process
  • Avoid detection by antivirus and behavioral monitoring
  • Blend into normal system activity

Instead of launching a suspicious executable directly, malware makes it appear as though a trusted application (e.g., explorer.exe, svchost.exe) is running normally, while its actual code has been replaced.

Conceptual Workflow (High-Level)

Here’s a simplified conceptual flow of how process hollowing works:

1. Create a Legitimate Process in Suspended Mode

  • A trusted executable is launched (e.g., Notepad, svchost)
  • It is intentionally paused immediately after creation
  • At this moment, it has:
    • Valid structure
    • No meaningful execution yet

2. Remove or Unmap Original Memory

  • The attacker (malware) removes the legitimate executable's code from memory
  • This creates an empty “shell” process

This is where the “hollowing” name comes from; the process is emptied internally, but still exists externally

3. Allocate Memory for Malicious Code

  • The malware allocates memory inside the hollowed process
  • This memory is used to store the attacker’s payload

4. Inject Malicious Payload

  • The attacker’s code is written into the target process memory
  • The process now contains malicious instructions instead of legitimate ones

5. Adjust Execution Context

  • The instruction pointer (CPU execution location) is modified
  • So when resumed, it executes attacker-controlled code instead of the original program

6. Resume Execution

  • The suspended process is resumed
  • From the OS perspective:
    • It looks like a normal, trusted application running
  • In reality:
    • It is executing malicious logic inside

Why Attackers Use Process Hollowing

1. Stealth

  • Appears as a trusted system process
  • Reduces suspicion from users and security tools

2. Evasion

  • Many security solutions trust system binaries
  • Helps bypass signature-based detection

3. Persistence and Privilege Abuse

  • If targeting privileged processes, attackers can inherit higher permissions
  • Helps escalate impact without obvious triggers

Technical Characteristics (Detection Clues)

Even though it is stealthy, process hollowing leaves behavioral artifacts:

Memory Behavior

  • Memory regions with:
    • Executable permissions
    • Unexpected content not matching the original file

API Usage Patterns

Malicious programs often use sequences like:

  • Process creation in suspended state
  • Memory unmapping/allocation
  • Writing to another process's memory
  • Thread/context manipulation

Mismatch Indicators

  • Executable image on disk ≠ memory image in RAM
  • Process name doesn’t match its behavior

Defensive Mitigation Strategies

1. Behavioral Detection

  • Monitor suspicious sequences of API calls
  • Look for:
    • Suspended process creation + memory modification

2. Memory Integrity Checking

  • Compare process memory vs. the original executable file
  • Detect anomalies in loaded code segments

3. Endpoint Detection & Response (EDR)

  • Modern EDR tools flag:
    • Process injection patterns
    • Context manipulation

4. Least Privilege Principle

  • Prevent malware from manipulating high-privilege processes

5. Application Control

  • Restrict execution of unknown binaries
  • Enforce signed code policies

Comparison to Related Techniques

Important Context

Process hollowing is widely used by:

  • Malware families (banking trojans, RATs)
  • Advanced persistent threats (APTs)
  • Red team/penetration testing tools (for simulation)

However, it's also studied in defensive cybersecurity to understand attacker techniques.

Summary

Process hollowing is a stealthy code injection technique that:

  • Creates a legitimate process
  • Empties it internally
  • Inserts malicious code
  • Executes it under a trusted identity

It’s powerful because it exploits trust relationships in operating systems, making malicious activity appear legitimate.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)