Understanding Process Hollowing
A technique used by malware author to evade defenses and detection analysis of malicious processes execution
Process hollowing is a technique used by malware in which a legitimate process is loaded on the system solely to act as a container for hostile code.
How it works?
At launch, the legitimate process is created in a suspended state and the process’s memory is replaced with the code of a second program so that the second program runs instead of the original program.
The advantage is that this helps the process hide amongst normal processes better: Windows and process monitoring tools believe the original process is running, whereas the actual program running is different.
Detecting hollowed processes with Volatility
One common technique for detecting hollowed processes is by scanning allocated memory for segments that have the RWX protection setting.
If the attacker forgot to fix memory protection flags with VirtualProtectEx, we can find it easily.
A Volatility plugin called ‘malfind.py’ does this as part of its scanning: however, careful malware authors can easily avoid this by correcting protection settings after they are done writing to memory.
But, using volatility without any plugins we can dump processes to files and compare them with eachother or with their original file on the filesystem.
In the following video, part of the presentation “Reversing and Investigating Malware Evasive Tactics — Hollow Process Injection” presented at the Cysinfo cyber security meet in Bangalore on May 28th 2016, Monnappa K A detect a svchost.exe used as a host process for process hollowing:
Mitigation
Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly.
So efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.