Detecting Deceptive Process HOLLOWING Techniques Using HOLLOWFIND VOLATILITY PLUGIN
In this blog post we will look at different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis. I also present a Volatility plugin hollowfind to detect these different types of process hollowing. Before looking at the different types of process hollowing, lets try to understand the normal process hollowing, its working and detection. To explain the normal process hollowing I will use memory image which is infected with Stuxnet. What is Process Hollowing? Process Hollowing or Hollow Process Injection is a code injection technique in which the executable section of a legitimate process in the memory is replaced with malicious code (mostly malicious executable). This technique is used to blend in malware as a legitimate process and using this technique attackers can cause a legitimate process to execute malicious code. The advantage of this technique is that the path of the process being hollowed out will still point