“Memhunter” vs “Sysmon v13.01” & Process Hollowing Technique
Process Hollowing is one of the top techniques which is used by Advanced Malware like “Duqu”and still using by Hackers & Malwares (still is useful…)
i had some simple tests for this Technique by my own code & “Minjector” made by “Marcos Oviedo” (https://github.com/marcosd4h/memhunter) also i tested New Version for “Sysmon v13.01” and “Memhunter” for Technique Detection… (in this case Process Hollowing Detection)
Process Hollowing technique with “Minjector.exe” Detected by “Sysmon v13.01” also Detected by “Memhunter” (ETW tool) but this technique with “NativePayload_TIPH.cs” code “Not Detected” by Sysmon v13.01 very well also Not Detected by Memhunter! ;)
this technique(process hollowing) with “NativePayload_TIPH.cs” code “Not Detected” by Sysmon v13.01 very well also Not Detected by Memhunter! ;)
as you can see PID for target process was not Detected correctly by “Sysmon v13.01” also not detected by “Memhunter” tool too.
video : https://www.youtube.com/watch?v=XBkXnqyI8uM
Related Article : Process Hollowing vs “ETWProcessMon.cs” : https://lnkd.in/eSwzM_m
