Process Hollowing

A defense-evasion technique where a benign process is created in a suspended state, its memory is unmapped or overwritten, and malicious code is written into the hollowed space before the thread is resumed.

Detection / Fingerprint

• CreateProcessW with CREATE_SUSPENDED flag
• NtUnmapViewOfSection or VirtualAllocEx on a newly created process
• NtWriteVirtualMemory or WriteProcessMemory targeting the suspended process
• SetThreadContext / ResumeThread to redirect execution

Implementation Patterns

SilverFox variants use a streamlined hollowing sequence without NtUnmapViewOfSection:

1. CreateProcessW(target_path, ..., CREATE_SUSPENDED, ...)^[ghidra:FUN_140001030]
2. VirtualAllocEx(hProcess, ..., MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)^[ghidra:FUN_140001030]
3. NtWriteVirtualMemory(hProcess, base, payload, size, ...)^[ghidra:FUN_140001030]
4. Resume via ResumeThread or thread-context manipulation

Alternative fallback: ShellExecuteExW if injection fails.^[ghidra:FUN_1400044b0]

Reproduce on Your Own VMs

Build a test injector targeting notepad.exe:

STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessW(L"C:\\Windows\\System32\\notepad.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

// Allocate RWX memory in suspended process
LPVOID remote = VirtualAllocEx(pi.hProcess, NULL, payload_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, remote, payload, payload_size, NULL);

// Hijack entry point via SetThreadContext or overwrite image base
// ResumeThread(pi.hThread);

Verify with capa <reproducer.exe> — should hit inject code into process.

Defensive Countermeasures

• Monitor CreateProcessW(CREATE_SUSPENDED) followed by memory writes to the child process
• ETW: Microsoft-Windows-Kernel-Process events for process creation + memory allocation
• YARA: flag binaries importing both CreateProcessW and NtWriteVirtualMemory/WriteProcessMemory