Process Hollowing (RunPE Research)

Discussion in 'Advanced Hacking' started by BitmasterXor, Oct 15, 2021.

  1. Admin Post
    BitmasterXor
    Spaced

    BitmasterXor Administrator Staff Member

    Windows 10 Chrome 94.0.4606.81
    Most of you out there have probably always wondered how a Runtime Crypter functions... well the answer can be found by researching PE's or Portable Executable files in Microsoft Windows. If you can understand how a Process is loaded in Microsoft windows you can better understand what is happening under the hood so to speak, and with just a little reverse engineering skill you can create a hollowed out process and use it to bypass Antivirus!

    Here are some helpful links to assist you in your research:
    https://blog.kwiatkowski.fr/?q=en/process_hollowing
    https://www.autosectools.com/Process-Hollowing.pdf
    https://countuponsecurity.com/2015/12/07/malware-analysis-dridex-process-hollowing/

    And one other thing guys I do recommend that you read this book:
    [​IMG]

    There is a section in this book which covers the Process Hollowing Technique in vivid detail. Very useful for IT Security Researchers!

    Check out this book in our Site Resources: https://hackergrounds.com/index.php?resources/malware-analysts-cookbook.9/
     
    duckarcher likes this.
  2. Admin Post
    BitmasterXor
    Spaced

    BitmasterXor Administrator Staff Member

    Windows 10 Chrome 94.0.4606.81
    The Idea Behind a RunPE or "Run Portable Executable Method" is that Antivirus cannot detect what it cannot see. So essentially a RunPE module is created and used to keep malware from Physically touching the HDD/SSD of a computer system. In other words the malware is Encrypted/Decrypted from and to its original state all 100% in RAM / Memory thus never actually touching the Hard Drive Disk / Solid State Drive where the Antivirus would then be able to flag it by means of using a Virus Definitions database.
     

Share This Page