{"id":19369425,"url":"https://github.com/kara-4search/processhollowing_csharp","last_synced_at":"2025-07-05T00:03:12.327Z","repository":{"id":136107182,"uuid":"438227250","full_name":"Kara-4search/ProcessHollowing_CSharp","owner":"Kara-4search","description":"ProcessHollowing via csharp","archived":false,"fork":false,"pushed_at":"2021-12-21T23:56:01.000Z","size":39272,"stargazers_count":12,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-02T17:01:33.770Z","etag":null,"topics":["bypassedr","csharp","pentest","processhollowing","redteam"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-14T11:28:13.000Z","updated_at":"2024-05-04T05:59:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"ea569831-1e90-48a0-a160-e8b520f2b079","html_url":"https://github.com/Kara-4search/ProcessHollowing_CSharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FProcessHollowing_CSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FProcessHollowing_CSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FProcessHollowing_CSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FProcessHollowing_CSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/ProcessHollowing_CSharp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250460401,"owners_count":21434245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypassedr","csharp","pentest","processhollowing","redteam"],"created_at":"2024-11-10T08:11:13.665Z","updated_at":"2025-07-05T00:03:12.314Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ProcessHollowing_CSharp\n\nBlog link: not gonna update\n\n- Process Hollowing is a technique used by malware authors for evading endpoint detection. \n- The malware initially spawns a legitimate-looking process that is used as a container for executing malicious code. \n- The main idea is to create an executable section in the said legitimate process which in turn executes the malicious code. \n- The advantage of this technique is that when tracing back to the malicious code will lead the analysis to the legitimate process.\n\n- Below are the steps followed while adding the Process Hollowing technique in the tool.\n\n\t- **Step 1: Create a new target process in a suspended state. This can be achieved by passing the Create_Suspended value in the dwCreationFlags parameter of CreateProcess Windows API.**\n\t- **Step 2: Once the process is created in a suspended state we will create a new executable section. It won't be bind to any process.**\n\t- **Step 3: We need to locate the base address of the target process. This can be done by getting ThreadContext.**\n\t\t- **Security Researchers found that the register Rdx was pointing to a memory location. 16 bytes after this location contains the address of the location of ImageBase.**\n\n\t- **Step 4: Hollowing the suspended process by calling the API - ZwUnmapViewOfSection.**\n\t- **Step 5: Allocating space for the Malware Image.**\n\t- **Step 6: Rewriting PE headers and sections into memory.**\n\t- **Step 7: Updating the ThreadContext's ImageBase and EntryPoint.**\n\t- **Step 8: Resume the thread with API - ResumeThread.**\n\t\n- Only tested in Win10/x64 works fine.\t\n- **Below are the original process and malware process's path**\n```\n\tstring CreateProcess_path = @\"C:\\Windows\\System32\\mspaint.exe\";\n\tstring ProcessReplace_path = @\"C:\\Windows\\System32\\cmd.exe\";\n```\n\n## Usage \n1. test the OriPath and MalPath before you run.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/ProcessHollowing_Path.png)\n2. Cmd show up\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/ProcessHollowing_CMD.png)\n\n## TO-DO list\n- Restructure Code - (DONE)\n- Restructure Code2\n- PE relocation\n\n## Update history\n- Restructure Code - 20211222\n- Remove unnecessary code in ProcessHollow.cs - 20211222\n\n# Reference link:\n\t1. https://www.displayfusion.com/Discussions/View/converting-c-data-types-to-c/?ID=38db6001-45e5-41a3-ab39-8004450204b3\n\t2. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwunmapviewofsection\n\t3. https://dev.to/wireless90/process-injection-process-hollowing-52m1\n\t4. https://blog.csdn.net/Entodie/article/details/100526765\n\t5. https://idiotc4t.com/code-and-dll-process-injection/setcontext-hijack-thread\n\t6. https://github.com/wireless90/ProcessInjector.NET/tree/main/ProcessInjector/ProcessHollowing\n\t7. https://3xpl01tc0d3r.blogspot.com/2019/10/process-injection-part-iii.html\n\t8. https://gist.github.com/affix/994d7b806a6eaa605533f46e5c27fa5e\n\t9. https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations\n\t10. http://blog.sina.com.cn/s/blog_a9303fd90101bwxj.html\n\t11. https://docs.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex\n\t12. https://blog.csdn.net/charge_release/article/details/52224839\n\t13. https://docs.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory\n\t14. https://docs.microsoft.com/zh-cn/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext\n\t15. https://github.com/idiotc4t/ProcessHollow\n\t16. https://blog.csdn.net/weixin_43742894/article/details/105155482\n\t17. https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fprocesshollowing_csharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkara-4search%2Fprocesshollowing_csharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fprocesshollowing_csharp/lists"}