What is a Hollow Process?
Process hollowing is a technique used by some malware in which a legitimate process is loaded on the system solely to act as a container for hostile code. At launch, the legitimate code is deallocated and replaced with malicious code. The advantage is that this helps the process hide amongst normal processes better. If you inspect the process and its imports using conventional tools, they all look legit. The PEB is untouched, but the actual code and data of the process have been changed.
A really simple example would be to create a new Notepad process in suspended mode and then replace the code and data segments with our malicious code before we start the execution. This way, we will not find any trace of malicious activity when doing a quick look at the process list (more info. on the post).
Then, how do we analyze a compromised system? The article explains the following techniques:
- Looking for RWX memory segments. Some memory segments in a legit process should be ‘read-only’ and perhaps the attacker forgot to fix these permissions. There are some volatility plugins that do so.
- Dump the process with the procexedump command and compare it with the original in the file system (or a well known copy).
- Since finding the exact binary is difficult, we can also do Fuzzy Hashing. This technique indicates the amount of common content in two files. The less similar the binaries are, the more confident we are that the process was Hollowed. They use the tool called ssdeep (by Jesse Kornblum).