## Quick Malware knowledge: Process hollowing ``From a chilling afternoon at Worri coffee!`` ### 1. What is the definition of Process Hollowing? - Okay, reading the name of the malware, somehow we can imagine something about it, particularly "hollowing". - This malware technique is named as Process Hollowing as it evades the detection by starting the process with a legitimate process first, then it hollows out the code inside the process before ever executing them, then injects the malicious code (shellcode) into that region. ### 2. How does it work and What are the steps? - Firstly, it starts a legitimate process in a suspended state so that the process won't execute the code immediately. To perform that, it uses **CreateProcess** function with **CREATE_SUSPEND** option used in **dwCreations** flag. - Once the process is suspended, the next step is to hollow out the legitimate code! Windows definitely has an API to achieve this. Malware may use **NtUnmapViewOfSection** to unmap code from virtual memory from user mode. - Now, we have a hollowed process in a suspended state, the next step that needs to be performed is code injection. We have to request the kernel to allocate a memory space with both Execute and Write permissions using **VirtualAllocEx** with **flProtect** parameter. Following that, the malware uses **WriteProcessMemory** to write shellcode into that allocated memory within the hollowed process. - To make the process appear to be a normal and legitimate one, it then uses **VirtualProtectEx** to change the permissions of the code section or data section, specifically removing the Write permission while keeping Execute one. - At this point, the malware is already 80% of its progress. What's left to do ? Maybe resume the process now? But wait! the instruction pointer now is still pointing to the instruction of the original code not our shellcode, what we acutally need to do next is to adjust that pointer points to our injection code! We could do it using **GetThreadContext** to get the registers information, then use **SetThreadContext** to change the value of the IP to the correct address. - Finally, the malware calls **ResumeThread** to make the process run the shellcode within!  ### 3. Questions around. #### 1. Why must the malware ask the kernel to allocate a new memory region rather than using the region it just hollowed? - Shortly, when **NtUnmapViewOfSection** is called, the mapping between virtual address and physical address no longer exists, so if the malware tries to write to it -> memory access violation. #### 2. The series of behaviors of unmapping code, allocating new memory region with Write and Execte permission and also changing the registers context is so suspicious -> Why does it ever bypass detection methods? - Overally, there are some reasons but i dont wanna talk too specifically about them right now, just mention some of them. - Traditional tools often whitelist processes to avoid performance overhead, while this kind of malware often appears as a legitimate one like: explorer.exe, svchost.exe, etc ... another thing is that monitoring every **VirtualAllocEx**, **WriteProcessMemory**, **SetThreadContext** call system-wide would create the same problem: massive performance overhead! - These operations happen really quickly and seperately, therefore correlating them altogether inn real-time is a hard work. - Legitimate use cases exist: Some debuggers also use similar APIs (GetThreadContext, SetThreadContext). JIT compiler allocates executable memory as well, etc ... -> **False Positive problems** arise! ### 4. What are the modern ways to detect it? - **Behaviral analysis and API hooking**: Look for specific pattern like: CreateProcess (suspended) -> Unmap -> Allocate -> Write -> SetThreadContext -> Resume. Using EDR agents to hook at kernel or user level -> track the call and correlate them together. - **Memory integrity check**: Check the virtual memory with the memory on disk, if there is any mismatch -> indicating code injection! - **Deep learning & heuristics methods**: We already know that, AI could detect malware from our given data of malware pattern, but that's still not really effective with some novel malwares or some variants. However, we could leverage our methods using another way like deep learning: neural networks can learn through complex representations of malware families making them more resilient to obfuscation and polymorphism. - **Detecting using suspicious memory protection**. ### Ref: - https://www.slideshare.net/slideshow/hijackloader-evolution-interactive-process-hollowing/269669583 - https://www.picussecurity.com/resource/blog/t1055-012-process-hollowing - https://cysinfo.com/detecting-deceptive-hollowing-techniques/