Process Hollowing — Malware Reverse Engineering.

What is Process Hollowing?

Process Hollowing is a technique used by malware to execute malicious code within the address space of a legitimate process. This allows the malware to evade detection, as security tools and task managers will see a normal, trusted process running while, in reality, it is executing malicious code.

Steps of Process Hollowing Execution:

1. Create a Suspended Process

• The attacker starts a legitimate process (e.g., notepad.exe) in a suspended state using CreateProcess() with the CREATE_SUSPENDED flag.
• This prevents the process from executing immediately, giving the attacker time to modify it.

2. Unmap (Hollow Out) the Legitimate Code

• The attacker uses ZwUnmapViewOfSection() or NtUnmapViewOfSection() to remove the original executable code from memory.
• At this point, the process still exists, but its code is gone, leaving an empty space (hollowed process).

3. Allocate Memory for Malicious Code

• The attacker allocates memory in the hollowed process using VirtualAllocEx().

4. Write Malicious Code into the Hollowed Process

• The malicious payload (e.g., ransomware, trojan, or keylogger) is written into the allocated memory using WriteProcessMemory().

5. Adjust the Thread Context

• The attack modifies the entry point of the process to point to the malicious code using SetThreadContext().

6. Resume Execution

• Finally, the attacker resumes the suspended process using ResumeThread().
• The process appears normal, but in reality, it is executing malicious code.

Example to understand the process hollowing-

Imagine you have a chocolate wrapper, and inside, you expect a chocolate bar. But what if someone secretly replaces the chocolate with soap, while keeping the wrapper intact? You think you’re getting chocolate, but you’re actually getting soap!

Process Hollowing works the same way in computers. A hacker starts a normal, trusted program (like notepad.exe) but quickly removes its real code and replaces it with a malicious program. To the operating system, it still looks like Notepad, but inside, it’s actually running a virus!

Sha256: eae72d803bf67df22526f50fc7ab84d838efb2865c27aef1a61592b1c520d144

Static Analysis

Pestudio- Suspicious API

The file is compiled using the Delphi compiler. Upon opening it in DIE, the entropy analysis indicates that the .code and .reloc sections are packed.

Next, inspecting the file in PE Studio under the Imports section reveals APIs commonly associated with Process Hollowing, such as SetThreadContext, WriteProcessMemory, VirtualAllocEx, and CreateProcessA. Additionally, the presence of keyboard state-related APIs suggests that the sample may function as a keylogger.

IDA- Import Section

Upon opening the file in IDA and navigating to the Imports section, we can see APIs such as LoadResource and FindResource, which may be used to drop another file. To investigate further, we check LoadResourceA and view its cross-references by pressing the X key. This reveals where the function is being called within the code, providing more insight into its usage.

-IDA Xref under Import Section

Filename- Load File from Resource Section

In the image above, we can see that FindResourceA is searching for a file named “ICO” under the resource name “ICER”, likely to load it at runtime.

To extract the file, we can use CFF Explorer:

CFF explorer — Resource Section

1. Open the file in CFF Explorer.
2. Navigate to the Resource Editor.
3. Right-click on the identified resource and select “Save Raw File” to extract it.

Extracted file Hash

The images above show that the code calls APIs related to Process Hollowing in IDA. You can verify this by checking the cross-references (XREFs) of SetThreadContext under the Imports section. Pressing X in IDA will reveal where this API is being used, helping to analyze its role in the execution flow.

Dynamic Analysis

Set Breakpoint in X32

Load the sample in x32dbg, then follow these steps to set breakpoints:

1. Open x32dbg and load the executable.
2. Press Ctrl + G to open the Go to Address window.
3. Enter each keyword from the highlighted green text in the image one by one.
4. After navigating to each address, set a breakpoint (F2) to pause execution when the API is called.

After setting the breakpoints in x32dbg, press F9 to continue execution. The sample then attempts to trigger the Encrpgty application, but in x32dbg, execution stops before hitting the breakpoints.

Execute X32 till to Get a Browse for Folder option

Continuously press F9 in x32dbg until the execution reaches the point where you can select a folder.

Preparation Before Execution:

1. Create a Folder: Name it “Process Testing”.
2. Create a Dummy Folder: Inside “e.g., Process Testing “, place a dummy Word document (e.g., test.docx).
3. Continuously press F9 until the sample prompts you to select a folder.

4. Choose the “Process Testing” folder and click Start Button and in x32 it triggers to breakpoint CreateFileA.

5. After selecting the “Process Testing” folder, execution will pause at CreateFileA (if a breakpoint is set). Press Ctrl + F9 to allow CreateFileA to execute completely. Once executed, the return value in EAX (e.g., 6D8) represents the handle assigned to the first file in the “Process Testing” folder.

6. In order to know which file handle we got in createfileA is confirm in x32 under Handle tab, Enter the handle 6D8 in search bar and click refresh.

7. Press F9 to continue execution. The debugger will pause at WriteFile and CreateFileA each time they are called. When it stops, check the return value and verify the handle to track which file is being accessed or modified.

8. At some point during the execution of CreateFileA, a new file named “Readme.txt” will be created. Once this happens, press F9 to continue, and the debugger will stop at WriteFile. Then, press Ctrl + F9 or F9 again to allow WriteFile to complete execution and it will stop at CreateProcessA.

9. Click F8 to execute the CreateProcessA function

10. After executed the CreateProcessA then check with Process Explorer cmd.exe is suspended Mode.

11. GetThreadContext is a function that allows a program to retrieve the register state of a thread.

12. ReadProcessMemory is a Windows API function that reads memory from another process.

13. We can observe the WriteProcessMemory function, which facilitates writing data to another process. In this case, cmd.exe (handle: 4F0) is running in suspended mode, and we can view the buffer value using the ‘Follow in Dump’ feature.

14. Dump memory to file using right click.

15. Open the dumped file in HxD editor and search the “MZ” string using Ctrl+F once u find the MZ before the line delete and save the file we can able to see the executable file.

16. Again it stop at writeprocessmemory , we can repeat steps 13,14,15 and dump the file.

17. After Execution of Resume Thread cmd.exe start to run. We can observe above and below image working Set size is increased if we can conclude the data is written in cmd.exe