Inferensys

Glossary

Process Hollowing

A code injection technique where a legitimate process is launched in a suspended state, its memory is unmapped, and replaced with malicious code to evade detection.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
CODE INJECTION TECHNIQUE

What is Process Hollowing?

A stealthy malware technique where a legitimate process is created in a suspended state, its memory is unmapped, and replaced with malicious code to evade detection by security tools.

Process hollowing is a code injection technique where an attacker launches a legitimate Windows process (e.g., svchost.exe) in a suspended state, unmaps its original executable memory, and replaces it with malicious payload code before resuming execution. This allows malware to masquerade as a trusted, signed binary while executing arbitrary code.

The attack exploits the Windows process creation API by calling CreateProcess with the CREATE_SUSPENDED flag, then uses NtUnmapViewOfSection to deallocate the original image. The hollowed process retains the parent process identity and digital signature of the legitimate binary, effectively bypassing application whitelisting and endpoint detection systems.

CODE INJECTION TECHNIQUE

Key Characteristics of Process Hollowing

Process hollowing is a sophisticated evasion technique where a legitimate process is created in a suspended state, its executable memory is unmapped, and replaced with malicious code. This allows the attacker to execute arbitrary payloads under the guise of a trusted, signed binary.

01

Suspended Process Creation

The attack begins by calling CreateProcess with the CREATE_SUSPENDED flag. This initializes the process in a paused state before any code executes. The target is typically a trusted Windows binary like svchost.exe or explorer.exe. At this stage, the process's thread context and memory layout are captured, providing the attacker with a clean, legitimate container to hollow out.

02

Memory Unmapping & Hollowing

Using NtUnmapViewOfSection, the attacker deallocates the legitimate executable's memory region. This removes all traces of the original binary from the process's address space. The process now exists as an empty shell with a valid Process Environment Block (PEB) and process ID, but no executable code. This step is critical for evading signature-based detection that scans for known malicious binaries.

03

Malicious Payload Injection

The attacker allocates new memory within the hollowed process using VirtualAllocEx and writes the malicious payload. The payload is typically a Portable Executable (PE) file loaded manually without the standard Windows loader. Key steps include:

  • Copying PE headers and sections
  • Performing base relocations
  • Resolving import address tables
  • Setting correct memory permissions (PAGE_EXECUTE_READWRITE)
04

Thread Context Manipulation

The final step modifies the suspended thread's context to point to the malicious entry point. Using SetThreadContext, the attacker updates the EAX/RBX register (for x86/x64) to the address of the new entry point. When ResumeThread is called, execution begins at the malicious code while the process appears legitimate to security tools monitoring process creation events.

05

Detection Evasion Mechanisms

Process hollowing bypasses multiple security controls simultaneously:

  • Application Whitelisting: The process appears as a signed, trusted binary
  • Parent-Child Relationship Analysis: The process tree looks legitimate
  • Disk-Based Scanning: No malicious executable is ever written to disk
  • EDR Hooking: The payload can be injected before user-mode hooks are loaded Advanced variants use PPID spoofing to further disguise the parent process lineage.
06

Defensive Countermeasures

Detection requires behavioral analysis rather than static signatures:

  • Memory forensics: Compare in-memory PE contents with on-disk binary
  • VAD tree analysis: Detect discrepancies between mapped memory and the original executable
  • ETW telemetry: Monitor for NtUnmapViewOfSection calls on newly created processes
  • Kernel callbacks: Use PsSetCreateProcessNotifyRoutine to inspect process creation anomalies
  • AMSI integration: Scan memory allocations before thread resumption
PROCESS HOLLOWING EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about process hollowing, a sophisticated code injection technique used to evade detection by masquerading malicious code as legitimate software.

Process hollowing is a code injection technique where an attacker launches a legitimate process in a suspended state, unmaps its original executable memory, and replaces it with malicious code before resuming execution. The attack unfolds in four distinct stages: First, the attacker calls CreateProcess with the CREATE_SUSPENDED flag, initializing a trusted binary like svchost.exe in a paused state. Second, the attacker deallocates the legitimate process's memory section using NtUnmapViewOfSection to hollow out the executable image. Third, the attacker allocates new memory within the suspended process via VirtualAllocEx and writes the malicious payload into that space. Finally, the attacker sets the thread context to point to the malicious entry point using SetThreadContext and calls ResumeThread to execute the injected code. Because the process appears in task managers and security tools as a signed, trusted application, the malicious activity remains hidden from traditional signature-based detection.

CODE INJECTION COMPARISON

Process Hollowing vs. Related Injection Techniques

Comparative analysis of process hollowing against other common code injection and evasion techniques used in agent impersonation and lateral movement attacks.

FeatureProcess HollowingDLL InjectionProcess Doppelgänging

Target Process State

Suspended on creation

Running process

Transacted file + suspended process

Disk Artifact

Modifies Legitimate Binary on Disk

Primary Evasion Mechanism

Legitimate process path + signed binary

Code execution within trusted process

NTFS transaction to hide file operations

Memory Section Manipulation

Unmap + replace

Allocate + write

Overwrite via transacted section

Detectable via HollowFind

Requires SeDebugPrivilege

Typical AV Detection Rate

12-18%

45-60%

5-8%

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.