GET /api/techniques/88/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 88,
"key": "process-hollowing-runpe",
"unprotect_id": "U1225, E1055.012",
"name": "Process Hollowing, RunPE",
"description": "Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload. \r\n\r\nThe process is the following:\r\n\r\n* `CreateProcess`: in a suspended mode with the CreationFlag at 0x0000 0004.\r\n* `GetThreadContext`: retrieves the context of the specified thread.\r\n* `ZwUnmapViewOfSection`: Unmaps a view of a section from the virtual address space of a\r\nsubject process.\r\n* `VirtualAllocEx`: allocates memory within the suspended process’s address space.\r\n* `WriteProcessMemory`: writes data of the PE file into the memory just allocated within the\r\nsuspended process.\r\n* `SetThreadContext`: sets the EAX register to the entry point of the executable written.\r\n* `ResumeThread`: resumes the thread of the suspended process.",
"resources": "https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf\nhttps://speakerdeck.com/fr0gger/teslacrypt-ransomware-analysis",
"creation_date": "2019-03-18T13:56:37Z",
"tags": "Process hollowing, malware, evading detection, injecting, malicious code, legitimate process, memory modification",
"modification_date": "2023-10-04T10:44:56.452000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
12,
15,
22,
23,
132,
357,
380,
381,
388
],
"contributors": []
}
