Process hollowing is a code injection technique where an attacker launches a legitimate Windows process (e.g., svchost.exe) in a suspended state, unmaps its original executable memory, and replaces it with malicious payload code before resuming execution. This allows malware to masquerade as a trusted, signed binary while executing arbitrary code.
Glossary
Process Hollowing

What is Process Hollowing?
A stealthy malware technique where a legitimate process is created in a suspended state, its memory is unmapped, and replaced with malicious code to evade detection by security tools.
The attack exploits the Windows process creation API by calling CreateProcess with the CREATE_SUSPENDED flag, then uses NtUnmapViewOfSection to deallocate the original image. The hollowed process retains the parent process identity and digital signature of the legitimate binary, effectively bypassing application whitelisting and endpoint detection systems.
Key Characteristics of Process Hollowing
Process hollowing is a sophisticated evasion technique where a legitimate process is created in a suspended state, its executable memory is unmapped, and replaced with malicious code. This allows the attacker to execute arbitrary payloads under the guise of a trusted, signed binary.
Suspended Process Creation
The attack begins by calling CreateProcess with the CREATE_SUSPENDED flag. This initializes the process in a paused state before any code executes. The target is typically a trusted Windows binary like svchost.exe or explorer.exe. At this stage, the process's thread context and memory layout are captured, providing the attacker with a clean, legitimate container to hollow out.
Memory Unmapping & Hollowing
Using NtUnmapViewOfSection, the attacker deallocates the legitimate executable's memory region. This removes all traces of the original binary from the process's address space. The process now exists as an empty shell with a valid Process Environment Block (PEB) and process ID, but no executable code. This step is critical for evading signature-based detection that scans for known malicious binaries.
Malicious Payload Injection
The attacker allocates new memory within the hollowed process using VirtualAllocEx and writes the malicious payload. The payload is typically a Portable Executable (PE) file loaded manually without the standard Windows loader. Key steps include:
- Copying PE headers and sections
- Performing base relocations
- Resolving import address tables
- Setting correct memory permissions (PAGE_EXECUTE_READWRITE)
Thread Context Manipulation
The final step modifies the suspended thread's context to point to the malicious entry point. Using SetThreadContext, the attacker updates the EAX/RBX register (for x86/x64) to the address of the new entry point. When ResumeThread is called, execution begins at the malicious code while the process appears legitimate to security tools monitoring process creation events.
Detection Evasion Mechanisms
Process hollowing bypasses multiple security controls simultaneously:
- Application Whitelisting: The process appears as a signed, trusted binary
- Parent-Child Relationship Analysis: The process tree looks legitimate
- Disk-Based Scanning: No malicious executable is ever written to disk
- EDR Hooking: The payload can be injected before user-mode hooks are loaded Advanced variants use PPID spoofing to further disguise the parent process lineage.
Defensive Countermeasures
Detection requires behavioral analysis rather than static signatures:
- Memory forensics: Compare in-memory PE contents with on-disk binary
- VAD tree analysis: Detect discrepancies between mapped memory and the original executable
- ETW telemetry: Monitor for
NtUnmapViewOfSectioncalls on newly created processes - Kernel callbacks: Use
PsSetCreateProcessNotifyRoutineto inspect process creation anomalies - AMSI integration: Scan memory allocations before thread resumption
Frequently Asked Questions
Clear, technical answers to the most common questions about process hollowing, a sophisticated code injection technique used to evade detection by masquerading malicious code as legitimate software.
Process hollowing is a code injection technique where an attacker launches a legitimate process in a suspended state, unmaps its original executable memory, and replaces it with malicious code before resuming execution. The attack unfolds in four distinct stages: First, the attacker calls CreateProcess with the CREATE_SUSPENDED flag, initializing a trusted binary like svchost.exe in a paused state. Second, the attacker deallocates the legitimate process's memory section using NtUnmapViewOfSection to hollow out the executable image. Third, the attacker allocates new memory within the suspended process via VirtualAllocEx and writes the malicious payload into that space. Finally, the attacker sets the thread context to point to the malicious entry point using SetThreadContext and calls ResumeThread to execute the injected code. Because the process appears in task managers and security tools as a signed, trusted application, the malicious activity remains hidden from traditional signature-based detection.
Process Hollowing vs. Related Injection Techniques
Comparative analysis of process hollowing against other common code injection and evasion techniques used in agent impersonation and lateral movement attacks.
| Feature | Process Hollowing | DLL Injection | Process Doppelgänging |
|---|---|---|---|
Target Process State | Suspended on creation | Running process | Transacted file + suspended process |
Disk Artifact | |||
Modifies Legitimate Binary on Disk | |||
Primary Evasion Mechanism | Legitimate process path + signed binary | Code execution within trusted process | NTFS transaction to hide file operations |
Memory Section Manipulation | Unmap + replace | Allocate + write | Overwrite via transacted section |
Detectable via HollowFind | |||
Requires SeDebugPrivilege | |||
Typical AV Detection Rate | 12-18% | 45-60% | 5-8% |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the core techniques, evasion methods, and adjacent attack vectors that define and defend against process hollowing in modern Windows environments.
Process Creation in Suspended State
The foundational mechanism of process hollowing. The Windows API CreateProcess is called with the CREATE_SUSPENDED flag (0x00000004). This initializes the process in memory, maps ntdll.dll, and sets up the Process Environment Block (PEB), but halts execution before any code runs. The thread's EAX register points to the entry point, allowing the attacker to hijack the execution context before the legitimate image initializes.
NtUnmapViewOfSection
A critical undocumented NTAPI function used to hollow the target process. After suspending the legitimate process, the attacker calls NtUnmapViewOfSection to deallocate the memory section containing the original executable image. This leaves an empty process shell with a valid PEB and loaded system DLLs, ready to receive the malicious payload. The function requires the process handle and the base address of the image, typically retrieved from the PEB's ImageBaseAddress field.
PEB Manipulation
The Process Environment Block (PEB) is a user-mode data structure that the Windows loader uses to manage process state. After injecting malicious code, the attacker must manually update the PEB's ImageBaseAddress to point to the new payload. Failure to do this causes tools like Task Manager to display the original process name, but debugging and some API calls will fail or behave erratically, potentially revealing the compromise.
Process Doppelgänging
An advanced fileless evolution of process hollowing that abuses NTFS transactions. Instead of dropping a malicious executable to disk, the attacker creates a transacted file, writes the malicious payload, and then creates a process section from the modified transaction. The original file is never committed, leaving minimal forensic evidence on the file system. This technique bypasses many antivirus solutions that rely on file system filter drivers.
Thread Execution Hijacking
A variant that targets an already running process rather than creating a new suspended one. The attacker allocates memory in the target process, writes shellcode, and then uses SetThreadContext to redirect the instruction pointer of an existing thread to the malicious code. This avoids the suspicious pattern of creating a process in a suspended state, which is heavily monitored by Endpoint Detection and Response (EDR) solutions.
API Monitoring & Detection
Defenders detect process hollowing by monitoring for high-entropy sequences of system calls. Key indicators include:
- CREATE_SUSPENDED followed by
NtUnmapViewOfSection VirtualAllocExwith PAGE_EXECUTE_READWRITE permissionsWriteProcessMemorytargeting the base address of a recently unmapped sectionSetThreadContextto modify the suspended thread's entry point- Discrepancies between the VAD tree and the PEB's ImageBaseAddress

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us