Hollowise: New Windows Tool Enables Stealthy Code Execution via Process Hollowing & PPID Spoofing

Hollowise is a Windows-based tool that implements process hollowing and PPID (Parent Process ID) spoofing techniques. It allows for stealth execution of debuggers and code and network analizers by replacing the memory of a suspended process (e.g. calc.exe) with arbitrary code while masquerading PEB, under a legitimate parent process (explorer.exe).

Features

• Process Hollowing: Replaces the memory of a legitimate process with a custom payload.
• PPID Spoofing: Creates a new process while spoofing its parent process (default: explorer.exe).
• Window Title Manipulation: Dynamically modifies the window title of the injected process.
• Memory Relocation Handling: Ensures correct relocation of the payload to match the new process base address.
• Remote CommandLine & ImagePathName Modification: Adjusts process parameters in memory.

Use

hollowise.exe [legit_process.exe] [payload.exe path] [WindowTitle]

legit_process.exe: A legitimate Windows executable (e.g., calc.exe) to be hollowed
payload.exe path: The malware analysis tool to hide
WindowTitle: The new window title for the injected process

e.g. commandline for starting x64dbg masked as calc.exe with the window text “EatMySocks”
hollowise.exe “C:\Windows\system32\calc.exe” “C:\Program Files\x3264dbg\x64\x64dbg.exe” EatMySocks

Note: This project provides an opportunity to explore techniques commonly used by malware for educational purposes.

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy