Share this page!

inversecos Profile picture
Twitter logo
Jan 31 4 tweets 2 min read
1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:

> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED

Purpose is to disguise malicious code in a legit exe by replacing the contents.
2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:

> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory
3\ Other ones:
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread

The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.
4\ Native APIs being the ones with Nt/Zw refer to this tweet

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with inversecos

inversecos Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

inversecos Profile picture
Oct 21, 2021
1\ #MobileForensics Tip: Did you know iOS, by default, tracks all locations that you visit to build a map of your life.

Artefacts:
> cache.sqlite
> cloud.sqlite
> local.sqlite

Tracked by IoS:
> When you arrived
> When you left
> Long/Lat

😝Photo is a parsed local.sqlite file
2\ In your iPhone the local.sqlite will render like this - as you can see I went to a grocery store 13 times. I was in lockdown don’t judge me.
3\ You can parse these using DB browser for sqlite - there are field names including longitude, latitude and also tracks when you arrived / left so it understands your dwell time. There are also fields pertaining to vehicle events i.e. you parked your car.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Like this author's thread?

Get emails when @inversecos has new unrolls!

Check out other threads from @inversecos!

Read all threads by @inversecos

:(