Get full access to Learning Malware Analysis and 60K+ other titles, with a free 10-day trial of O'Reilly.

There are also live events, courses curated by job role, and more.

2.1 Hollow Process Injection Steps

The following steps describe how malware normally performs process hollowing. Let’s assume that there are two processes, A and B. In this case, process A is the malicious process and process B is the legitimate process (also known as a remote process) such as explorer.exe:

Process A starts a legitimate process, B, in the suspended mode. As a result of that, the executable section of process B is loaded in the memory, and the PEB (Process Environment Block) identifies the full path to the legitimate process. The PEB structure's ImageBaseAddress field points to the base address where the legitimate process executable is loaded.
Process A gets the malicious executable that will be injected into the remote ...

Get Learning Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Don’t leave empty-handed

Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact.

It’s yours, free.

Get it now

Check it out now on O’Reilly

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.

Start your free trial Become a member now