“Memhunter” vs “Sysmon v13.01” & Process Hollowing Technique

Process Hollowing is one of the top techniques which is used by Advanced Malware like “Duqu”and still using by Hackers & Malwares (still is useful…)

i had some simple tests for this Technique by my own code & “Minjector” made by “Marcos Oviedo” (https://github.com/marcosd4h/memhunter) also i tested New Version for “Sysmon v13.01” and “Memhunter” for Technique Detection… (in this case Process Hollowing Detection)

Process Hollowing technique with “Minjector.exe” Detected by “Sysmon v13.01” also Detected by “Memhunter” (ETW tool) but this technique with “NativePayload_TIPH.cs” code “Not Detected” by Sysmon v13.01 very well also Not Detected by Memhunter! ;)

Process Hollowing technique with “Minjector.exe” Detected by “Sysmon v13.01” also Detected by “Memhunter” (ETW tool)

this technique(process hollowing) with “NativePayload_TIPH.cs” code “Not Detected” by Sysmon v13.01 very well also Not Detected by Memhunter! ;)

this technique with “NativePayload_TIPH.cs” code “Not Detected” by Sysmon v13.01 very well also Not Detected by Memhunter! ;)

as you can see PID for target process was not Detected correctly by “Sysmon v13.01” also not detected by “Memhunter” tool too.

video : https://www.youtube.com/watch?v=XBkXnqyI8uM

Related Article : Process Hollowing vs “ETWProcessMon.cs” : https://lnkd.in/eSwzM_m

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store