Skip to the content.

RCO: Process Hollowing

Process hollowing version unavailable

Target OS Demo
Linux process_hollowing_linux
Windows process_hollowing_windows

How it works

Windows process hollowing works by creating a suspended process and writing the shellcode over the entry point of the process’s main thread. It then resumes the suspended process, which in turn executes the shellcode.

Linux process hollowing functions a little differently. First, the executable creates a child process by cloning itself. Then it overwrites the child process’s instruction pointer with shellcode. Because this process was not running before the attack, it is unlikely this will cause any issues on the victim machine.

Using it

  1. [Not shown in demo] Generate shellcode for the desired end result (for example, use msfvenom to generate a reverse TCP shell shellcode for the target operating system)
  2. [Not shown in demo] Open the config file and change the shellcode to the shellcode generated in step 1
  3. [Optional - shown in xor_params demo] Encrypt the shellcode and target process using xor_params and update the encrypted shellcode value in the config file
  4. [Not shown in demo] Compile the executable, only including --features xor if you did step 3
    1. Build for Linux target
      cargo build -p process_hollowing [antisand][,][antistring][,][xor]] --release
      
    2. Build for Windows target
      cargo build --target x86_64-pc-windows-gnu -p process_hollowing [antisand][,][antistring][,][xor]] --release
      
  5. Start a netcat listener on the attacking machine on the same port you configured the shellcode to connect to in step 1
    nc -nlvp 4444
    
  6. Execute the payload on the victim machine
  7. Return to the listener and enter desired commands for the victim machine to run

Detection rates

Target OS Features Detections Screenshot
Linux None 7 / 40 process_hollowing_linux
Linux xor 1 / 40 process_hollowing_linux_xor
Windows None 12 / 40 process_hollowing_windows
Windows antisand 11 / 40 process_hollowing_windows_antisand
Windows antisand,antistring 11 / 40 process_hollowing_windows_antisand_antistring
Windows antistring 11 / 40 process_hollowing_windows_antistring
Windows antistring,xor 1 / 40 process_hollowing_windows_antistring_xor
Windows xor 1 / 40 process_hollowing_windows_xor
Windows antisand,xor 0 / 40 process_hollowing_windows_antisand_xor
Windows antisand,antistring,xor 0 / 40 process_hollowing_windows_antisand_antistring_xor