3xpl01tc0d3r

Hello All, Finally I have got one contributor ( Renos ) who has added process hollowing technique to the Process Injection tool which I wrote for learning about various Process Injection techniques and to enhance my knowledge about C# and Windows API. In this post I will cover about the Process Hollowing technique. The tool can be found on my github repo . What is Process Hollowing ? Process hollowing occurs when a process is created in a suspended state and the executable section of the legitimate process in the memory is unmapped and replaced with malicious executable (Shellcode in our case). This technique allows an attacker to disguise his malware as a legitimate process and execute malicious code. As a result, attacker may evade defenses and endpoint detection. In this Process Hollowing technique 10 Windows API are used. ZwCreateSection - The ZwCreateSection function creates a section object that represents a section of memory that can be shared. A process can use a