Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | March 04, 2025 | 4 MIN READ

LAST UPDATED ON MARCH 04, 2025

MITRE ATT&CK T1055.012 Process Injection: Process Hollowing

Process Hollowing is a process injection technique that adversaries generally use to bypass process-based defenses by injecting malicious code into a suspended or hollowed process. This technique involves creating a process in a suspended state, then unmapping or hollowing out its memory and replacing it with malicious code. This allows the attacker to execute their code within the context of the target process.

In this blog post, we explain the T1055.012 Process Hollowing technique of the MITRE ATT&CK® framework and explore how adversaries employ process hollowing with real-world attack examples in detail.

rr25-mockup1

 

  


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques
Used by Adversaries

GET THE REPORT


Adversary Use of Process Hollowing

Process hollowing is a technique used by malware to hide its code execution within the memory of a legitimate process. The malware begins by creating a new, suspended process of a legitimate, trusted system process. It then hollows out the contents of the legitimate process's memory, replacing it with the malicious code, and resumes the execution of the process. This can make it more difficult for security software to detect the presence of the malware, as it is running within the context of a trusted process. The legitimate process's original code is usually unmapped from memory, so it is no longer visible to the operating system.

An example Process Hollowing attack is given below.

  1. Create a suspended process: This initial step is about creating a suspended process, which adversaries will later use to hollow. To create a new process, the malware uses the CreateProcess function. As discussed before, this attack includes hollowing the memory of a suspended process. Thus, malware suspends this newly created process' primary thread via the CREATE_SUSPEND option used in the fdwCreate flag.

  2. Hollow out the legitimate code: Malware hollows out the legitimate code from the memory of the suspended process. This is done by using particular API calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection. The malware calls the ZwUnmapViewOfSection function to remove a previously mapped view of a section from the virtual address space of the target process.  One important thing to add is that the ZwUnmapViewOfSection function is called from kernel mode, meaning that it is not intended to be called directly from user mode. To unmap a view of a section from the virtual address space of the target process from user mode, adversaries should use the NtUnmapViewOfSection function instead. 

  3. Allocate memory in the target process: Malware allocates memory in the target process via the VirtualAllocEx function. One critical thing to note is that malware uses the flProtect parameter to ensure that the code is marked as writeable and executable.

  4. Write shellcode to the allocated memory: The adversary uses the WriteProcessMemory function to write the malicious code (also known as shellcode) to the allocated memory within the hollowed process.

  5. Change the memory protection: The malware calls the VirtualProtectEx function to change the memory protection of the code and data sections in the target process to make it appear normal, meaning that the memory in these sections will be marked as readable and in the case of "Read/Execute", executable.

  6. Retrieve the target thread's context: The target thread's context is retrieved using the GetThreadContext.

  7. Update the target thread's instruction pointer: Malware updates the target thread's instruction pointer to point to the written shellcode that the malware has written in the fourth step. Following this, malware commits the hijacked thread's new context with SetThreadContext.

  8. Resume the suspended process: The malware uses the ResumeThread to make the suspended process resume so that it can run the shellcode within. 

In April 2024, REMCOS RAT was reported to use process hollowing to copy itself into iexplore.exe [1]. Using the CreateProcessW API, the malware starts the target process in the suspended state and gets its thread context via the GetThreadContext API. Then, the malware uses ZwCreateSection and ZwMapViewOfSection APIs to create and map shared memory into the target process, along with the handle of the remote process. Finally, the malware sets the thread context with a new entry point pointing to the REMCOS entry point and resumes the process execution, successfully completing the process injection via process hollowing. 

if(!CreateProcessW(0, IpCommandLine, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &StartupInfo, p_remote_process_information))
 break;
p_context = (CONTEXT *)VirtualAlloc(0, 4u, 0x1000u, 4u);

if ( !GetThreadContext(p_remote_process_information→hThread, v40)
 || !ReadProcessMemory(

P_remote_process_information→hProcess,


 || g_fp_ZwCreateSection(&h_section, SECTION_ALL_ACCESS, 0, &MaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0))

if(!g_fp_ZwMapViewOfSection(Handle, CurrentProcess, &v33, 0, 0, 0, (PSIZE_T)v35, 1u, 0, 0x40u))

if(WriteProcessMemory(*(HANDLE *)_p_remote_process_information

if(SetThreadContext(*((HANDLE *)_p_remote_process_information + 1), p_context)

&& ResumeThread(*((HANDLE *)_p_remote_process_information + 1)) != -1)

References

[1] C. François and S. Bousseaden, "Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part One — Elastic Security Labs." Available: https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one

Table of Contents

MITRE ATT&CK T1055.013 Process Injection: Process Doppelgänging
MITRE ATT&CK MITRE ATT&CK T1055.013 Process Injection: Process Doppelgänging
Learn More
MITRE ATT&CK T1055.005 Process Injection: Thread Local Storage
MITRE ATT&CK MITRE ATT&CK T1055.005 Process Injection: Thread Local Storage
Learn More
MITRE ATT&CK T1055.003 Process Injection: Thread Execution Hijacking
MITRE ATT&CK MITRE ATT&CK T1055.003 Process Injection: Thread Execution Hijacking
Learn More
MITRE ATT&CK T1055.012 Process Injection: Process Hollowing
MITRE ATT&CK MITRE ATT&CK T1055.012 Process Injection: Process Hollowing
Learn More
MITRE ATT&CK T1055.011 Process Injection: Extra Window Memory Injection
MITRE ATT&CK MITRE ATT&CK T1055.011 Process Injection: Extra Window Memory Injection
Learn More
MITRE ATT&CK T1055.009 Process Injection: Proc Memory
MITRE ATT&CK MITRE ATT&CK T1055.009 Process Injection: Proc Memory
Learn More
MITRE ATT&CK T1055.008 Process Injection: Ptrace System Calls
MITRE ATT&CK MITRE ATT&CK T1055.008 Process Injection: Ptrace System Calls
Learn More
MITRE ATT&CK T1055.004 Process Injection: Asynchronous Procedure Call
MITRE ATT&CK MITRE ATT&CK T1055.004 Process Injection: Asynchronous Procedure Call
Learn More
MITRE ATT&CK T1055.002 Process Injection: Portable Executable Injection
MITRE ATT&CK MITRE ATT&CK T1055.002 Process Injection: Portable Executable Injection
Learn More