What is Process Hollowing?

What is process hollowing?

Process Hollowing is a stealthy malware injection technique where an attacker creates a legitimate process in a suspended state, removes its original code, and replaces it with malicious code before resuming execution. This allows the malware to run under the guise of a legitimate process, evading detection by security tools.

Why Attackers Use Process Hollowing

• Evasion of Security Tools – Since the process appears legitimate, antivirus and behavioral detection tools may overlook it.
• Code Execution Without Dropping a File – Unlike traditional malware that leaves artifacts on disk, this method operates in memory, making forensic detection harder.
• Persistence & Privilege Escalation – Hollowed processes can run with elevated privileges if they mimic system processes.

How does process hollowing work?

How Process Hollowing Works

Process hollowing is a malware injection technique that allows attackers to run malicious code within the address space of a legitimate process. This method helps evade detection by security tools since the compromised process appears normal. Here’s how it works step by step:

1. Create a Suspended Process
   • The attacker starts a legitimate process (e.g., explorer.exe or svchost.exe) in a suspended state using APIs like CreateProcess. This prevents the process from executing its normal code immediately.

2. Unmap the Original Code

1. • The memory section where the legitimate executable is loaded is removed or “hollowed out” using system calls like ZwUnmapViewOfSection. This clears the space for the malicious payload.

3. Inject Malicious Code

1. • The attacker allocates new memory in the process using VirtualAllocEx and writes the malicious payload into the hollowed-out memory space using WriteProcessMemory.

4. Modify Execution Context

1. • The entry point of the original process is modified to point to the injected malicious code. This is done by updating the thread context using SetThreadContext.

5. Resume Execution

1. • The attacker resumes the process using ResumeThread, allowing the malicious payload to execute under the name of the legitimate process.

Why Process Hollowing Is Dangerous

• Evasion of Security Tools – Since the malware runs under a trusted process, traditional antivirus and behavioral detection tools may not flag it.
• Fileless Execution – The attack occurs in memory, leaving minimal traces on disk, making forensic analysis difficult.
• Privilege Escalation – If the targeted process has elevated privileges, the attacker’s code inherits them, increasing the attack’s impact.

Process hollowing is commonly used in advanced persistent threats (APTs), ransomware, and fileless malware, making it a critical security concern.

How can you prevent process hollowing attacks?

Process hollowing is a stealthy malware technique, but several proactive security measures can help detect and prevent these attacks. Here’s how:

1. Monitor and Analyze Process Behavior

• Use Endpoint Detection & Response (EDR) solutions to track process creation, memory modifications, and unusual API calls.
• Look for process anomalies, such as:
  • A process starting in a suspended state and having its memory altered.
  • Legitimate processes executing unexpected code or launching from unusual directories.

2. Monitor and Restrict Process Privileges

• Apply the Principle of Least Privilege (PoLP) to limit the execution of high-risk processes with admin rights.
• Disable unnecessary privileges using User Account Control (UAC) and Process Mitigation Policies.

3. Detect and Block Memory Manipulation

• Use Memory Integrity features (Hypervisor-Protected Code Integrity – HVCI) to prevent unauthorized memory modifications.
• Monitor API calls such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, and SetThreadContext, which are commonly used in process hollowing.

4. Regularly Update and Patch Software

• Keep operating systems and applications up to date to patch vulnerabilities that attackers could exploit for process injection.
• Use exploit protection tools like Microsoft’s Exploit Protection in Windows Security.

5. Deploy Behavioral-Based Threat Detection

• Use AI-driven security solutions that detect behavioral anomalies rather than relying on signature-based detection alone.
• Deploy SIEM (Security Information and Event Management) tools to correlate unusual process activity with potential attacks.

By combining process monitoring, system hardening, behavioral detection, and least privilege enforcement, organizations can significantly reduce the risk of process hollowing attacks and other advanced malware threats.

What are some real-world examples of process hollowing?

Process hollowing has been widely used by cybercriminals, advanced persistent threats (APTs), and malware developers to evade detection. Below are some notable real-world examples:

1. Emotet

• Description: Emotet, one of the most infamous banking trojans and malware delivery platforms, used process hollowing to inject itself into legitimate Windows processes like explorer.exe.
• Impact: Enabled the malware to stay hidden while downloading additional payloads such as TrickBot and Ryuk ransomware.
• Detection Evasion: Security tools would see the process running normally, while the malicious code executed in the background.

2. TrickBot

• Description: TrickBot, a banking trojan-turned-advanced malware loader, leveraged process hollowing to inject itself into system processes such as svchost.exe or msiexec.exe.
• Impact: Stole credentials, performed lateral movement, and distributed ransomware like Conti.
• Detection Evasion: By running under trusted processes, it bypassed traditional antivirus detection.

3. Ryuk Ransomware

• Description: Ryuk, a high-profile ransomware linked to state-sponsored groups, used process hollowing to execute its encryption routines under the guise of legitimate Windows processes.
• Impact: Targeted enterprises, hospitals, and government institutions, demanding millions in ransom.
• Detection Evasion: Injected into system processes to prevent early detection and response.

4. Cobalt Strike

• Description: Cobalt Strike, a legitimate penetration testing tool often abused by attackers, used process hollowing as part of its post-exploitation techniques.
• Impact: Enabled remote access, privilege escalation, and lateral movement in corporate networks.
• Detection Evasion: Security teams often struggle to distinguish between legitimate use by red teams and malicious use by attackers.

5. Ursnif (Gozi) Banking Trojan

• Description: Ursnif, a widely used financial malware, utilized process hollowing to inject itself into browser processes like chrome.exe or iexplore.exe to steal banking credentials.
• Impact: Compromised banking details, credit card information, and login credentials.
• Detection Evasion: By hijacking browser processes, it could intercept user input without raising suspicion.

Key Takeaways

• Process hollowing is a preferred technique for malware evasion, as it allows attackers to execute malicious code under trusted processes.
• It is widely used in banking trojans, ransomware, and advanced persistent threats (APTs) to bypass traditional security measures.
• Detection requires behavioral analysis, EDR solutions, and memory forensics rather than signature-based antivirus approaches.

Understanding these real-world cases highlights the importance of advanced threat detection and proactive security measures to mitigate process hollowing attacks.