Evilblog

Key point to remember PEB (Process environment block): Process environment block is data structure in Windows NT system. PEB can be used by other applications to get information like heap address, memory offsets or if the program is being debugged. Process hollowing or Hollow process injection is in memory code injection technique where a malware creates a process in suspended form, then rewrite the code with it’s malicious content inside memory then continues the execution. Malware authors use this technique because in this method, there’s nothing written on hard drive and it’s a good way to bypass most antivirus and signature base detection. How does hollow process work? Suppose there are two process x and y, here y is legit process which is also called a remote process and x is the malicious process. X creates a legit process in suspended state and the executable section of y loaded inside the memory. The malware gets the base address of this legit pro