Hollowise: New Windows Tool Enables Stealthy Code Execution via Process Hollowing & PPID Spoofing
Hollowise is a Windows-based tool that implements process hollowing and PPID (Parent Process ID) spoofing techniques. It allows for stealth execution of debuggers and code and network analizers by replacing the memory of a suspended process (e.g. calc.exe) with arbitrary code while masquerading PEB, under a legitimate parent process (explorer.exe).
Features
- Process Hollowing: Replaces the memory of a legitimate process with a custom payload.
- PPID Spoofing: Creates a new process while spoofing its parent process (default:
explorer.exe). - Window Title Manipulation: Dynamically modifies the window title of the injected process.
- Memory Relocation Handling: Ensures correct relocation of the payload to match the new process base address.
- Remote CommandLine & ImagePathName Modification: Adjusts process parameters in memory.
Use
hollowise.exe [legit_process.exe] [payload.exe path] [WindowTitle]
legit_process.exe: A legitimate Windows executable (e.g., calc.exe) to be hollowed
payload.exe path: The malware analysis tool to hide
WindowTitle: The new window title for the injected process
e.g. commandline for starting x64dbg masked as calc.exe with the window text “EatMySocks”
hollowise.exe “C:\Windows\system32\calc.exe” “C:\Program Files\x3264dbg\x64\x64dbg.exe” EatMySocks
Note: This project provides an opportunity to explore techniques commonly used by malware for educational purposes.
