Analyzing Process hollowing with a look into Thread Context structure

In the previous blog, We have seen how we can use Procexplorer to analyze hollow processes.

In this blog, we shall extend the analysis and see how the Thread context registers actually gets manipulated before resuming the thread.

1. The first step, the victim process gets created in “Suspended mode”. Please note the flag CREATE_SUSPENDED.

Create Process with Suspended mode

Create Process with Suspended mode

In this case, the victim is C:\windows\system32\notepad.exe.
Once, the process is started in suspended mode, a call ZwUnmapviewsection is made to make the memory available.

The snapshot shows the hollowed out memory.

Hollowed out process memory

Hollowed out process memory

Then the hollowed process memory is written with the PE header and the PE sections of the replacement process.

After call to "WriteProcessMemory"

After call to "WriteProcessMemory"

Then a call to GetThreadContext returns the Thread CONTEXT data structure. The snapshot below shows the ThreadContext structure dump before manipulation. You can see that it’s EAX register contains the Entrypoint of notepad.exe

pcontext_structure_before_manipulation_containing_notepad_EP

pcontext_structure_before_manipulation_containing_notepad_EP

Now, the EAX register value in the Context register is manipulated to contain the Entrypoint of the winmine.exe (replacement process)

pcontext_structure_modifying_EAX_to_Point_to_winmine

pcontext_structure_modifying_EAX_to_Point_to_winmine

Once, it is done, the suspended thread is resumed with a call to Resume Thread.

Hope you have enjoyed the read. Cheers 🙂

Advertisements

2 Responses to “Analyzing Process hollowing with a look into Thread Context structure”

  1. saurabh Says:

    Hi Dinesh,
    Can u tell the md5 for the same.

    Saurabh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: