Evasive Process Hollowing PoC
Proof of concept code which demonstrate a few of the "evasive process hollowing" techniques analyzed in the white paper "What Malware Authors Don't want you to know - Evasive Hollow Process Injection" written by Monnappa K A. The PoC code can be used as a testbed to replicate the memory forensics findings discussed in the white paper.
- The resource file "HollowProcessInjection.rc" has a hardcoded path to the executable that is to be injected. The RCDATA path must be changed to reflect the .exe location on the host machine.
3. Process Hollowing - Address of Entry point Modification w/ changing the Memory Protection to PAGE_EXECUTE_WRITECOPY
- The injected .exe for this technique has been converted into shellcode using Hasherezade's pe_to_shellcode tool.
What Malware Authors Don't want you to know - Evasive Hollow Process Injection
Process Hollowing - John Leitch
Hasherezade - pe_to_shellcode