Process Injection & Hollowing Explained | TryHackMe Abusing Windows Internals P1

We covered process injection and process hollowing. Process injection is the process of injecting an already running process with malicious code or shellcode. Process hollowing is the process of creating a legitimate process in a suspended state and then unmapping the legitimate code from memory and replacing it with the shell code. Both Process injection and hollowing are useful to hide rootkits and shellcodes in innocently-looking processes to maintain access and persistence. This was part of TryHackMe Abusing Windows Internals red team pathway.

COMPTIA Pentest+ Notes

Windows Privilege Escalation Techniques Course

Challenge Description

Leverage windows internals components to evade common detection solutions, using modern tool-agnostic approaches.

Video Highlights

Process injection is commonly used as an overarching term to describe injecting malicious code into a process through legitimate functionality or components.

At a high level, shellcode injection can be broken up into four steps:

1. Open a target process with all access rights.
2. Allocate target process memory for the shellcode.
3. Write shellcode to allocated memory in the target process.
4. Execute the shellcode using a remote thread.

Process hollowing offers the ability to inject an entire malicious file into a process. This is accomplished by “hollowing” or un-mapping the process and injecting specific PE (Portable Executable) data and sections into the process.

At a high-level process hollowing can be broken up into six steps:

1. Create a target process in a suspended state.
2. Open a malicious image.
3. Un-map legitimate code from process memory.
4. Allocate memory locations for malicious code and write each section into the address space.
5. Set an entry point for the malicious code.
6. Take the target process out of a suspended state.

At a high-level thread (execution) hijacking can be broken up into eleven steps:

1. Locate and open a target process to control.
2. Allocate memory region for malicious code.
3. Write malicious code to allocated memory.
4. Identify the thread ID of the target thread to hijack.
5. Open the target thread.
6. Suspend the target thread.
7. Obtain the thread context.
8. Update the instruction pointer to the malicious code.
9. Rewrite the target thread context.
10. Resume the hijacked thread.

Room Answers

Room answers can be found here.