Process Hollowing
Process Hollowing is the technique in which we can modify the process before it starts executing.
By starting the process in Suspended
mode using the CreateProcess API.
CreateProcess API
CreateProcess API will do 3 things before starting the execution of the binary
It will allocate the virtual memory space for the new process
It will allocate the stack along with TEB (Thread Environment Block) and PEB (Process Environment Block)
It will loads the DLLs and the EXE to the memory.
Key points required for process hollowing
zwqueryinformationprocess : It is a winapi call which can be used to retrieve information about the process.
ProcessHandle: Handle to the Process
ProcessInformationClass: Type of information to be retrieved from the process
ProcessInformation:
ProcessInformationLength:
ReturnLength:
ProcessInformationClass
We will select the ProcessBasicInformation
which is 0
because we need the PEB address, the whole table is present here
We need PEB address because we can then find the base address
of the executable, then it can be parsed in order to find the Entrypoint
of the EXE.
WorkFlow (To find BaseAddress of executable)
Now, We have the PEB address but we can not read it, because it's on a remote process. So in order to read it we can use
ReadProcessMemory
.
ReadProcessMemory
This will be used to read the contents of the PEB at offset of 0x10
PE File Structure (Read more at Here)
After reaching to the base address, we will read 0x200
bytes (using ReadProcessMemory
) from the base address.
Workflow (To read the offset to e_lfanew)
By analysing these 0x200
bytes, we will find the address of e_lfanew
at 0x3c
offset from the base address of executable.
e_lfanew: 4 byte offset which tells us where the PE header is located (offset to PE Header)
ADD the offset we got from
e_lfanew
toBaseAddress of executable
Now we need to navigate to the AddressofEntryPoint
which is 0x28
from the PE header location
AddressofEntryPoint (0x28 from PE Header)
Here we will get the RVA for Entrypoint
of the application, and RVA is just an offset
so it needs to be Added with the base address of the remote proccess to find the absolute virtual memory address.
Case Study
Steps before actual calculations
Start the process in
Suspended
modeUse
zwqueryinformationprocess
to find the PEB Address
Now Actual Case Study
we have the PEB Address:
0x3004000
Task: Find the memory address of the entrypoint of the application
We ADD
0x10
in PEB Address == (0x3004010
) -> to find the Base Address of the executable, we read the value of the address above and it comes out as0x7ffff01000000
Base Address of the Executable ==
0x7ffff01000000
Read the
0x200
bytes usingReadProcessMemory
for inspecting locallyCheck the
0x3c
location fromBase Address of the Executable
==0x7ffff0100003c
to find the e_lfanew header
e_lfanew header at
0x7ffff0100003c
will give the offset toPE Header
PE Header
the offset we got is0x110
Add the total offset bytes to the
Base Address of the Executable
->0x7ffff01000000
+0x110
==0x7ffff01000110
So PE Header is at
0x7ffff01000110
From PE Header, we need to read
0x28
ahead in order to find the RVA forEntrypoint
of the application
PE Header memory address +
0x28
->0x7ffff01000110
+0x28
==0x7ffff01000138
RVA memory address found (
0x7ffff01000138
)So navigating to this address will lead us to the
Entrypoint of the application
Add the offset received from RVA to
Base Address of the Executable
Now we just need to overwrite the memory space from this
Base Address of the Executable
with our shellcode to run it
Last updated