<!doctype html><html lang="en-us"><head> <meta charset="utf-8"> <title>Analyzing Malware Hollow Processes</title> <link rel="shortcut icon" href="https://www.trustwave.com/hubfs/Trustwave_Icon_Color-2.svg"> <meta name="description" content="The Malware Analyst's Cookbook is a great book. In it the authors talked about an interesting technique they called 'process hollowing'. When I read about it, I was intrigued and played around a bit with the examples from the book.... "> <style> @font-face { font-family: "Inter"; font-weight: 100; font-style: normal; font-display: swap; src: url("/_hcms/googlefonts/Inter/100.woff2") format("woff2"), url("/_hcms/googlefonts/Inter/100.woff") format("woff"); } @font-face { font-family: "Inter"; font-weight: 300; font-style: normal; font-display: swap; src: url("/_hcms/googlefonts/Inter/300.woff2") format("woff2"), url("/_hcms/googlefonts/Inter/300.woff") format("woff"); } body { font-family: 'Inter', Arial, sans-serif; font-weight: 300; line-height: 150%; letter-spacing: 0; } </style> <!-- Page CSS Starts Required v2 --> <!-- Standard Header Includes --> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta property="og:description" content="The Malware Analyst's Cookbook is a great book. In it the authors talked about an interesting technique they called 'process hollowing'. When I read about it, I was intrigued and played around a bit with the examples from the book.... "> <meta property="og:title" content="Analyzing Malware Hollow Processes"> <meta name="twitter:description" content="The Malware Analyst's Cookbook is a great book. In it the authors talked about an interesting technique they called 'process hollowing'. When I read about it, I was intrigued and played around a bit with the examples from the book.... "> <meta name="twitter:title" content="Analyzing Malware Hollow Processes"> <link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/template_assets/81597466170/1727892386937/marketplace/GiantFocal/Hatch/css/main.min.css" position="head"> <link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/template_assets/82152213034/1732213578769/Trustwave_Theme_by_CC/child.min.css" position="head"> <style> a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px} </style> <link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/template_assets/173343932468/1727871843733/Trustwave_Theme_by_CC/css/pages/blog-details.min.css"> <link class="hs-async-css" rel="preload" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/128102279083/1729705714101/module_128102279083_Global-Header.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/128102279083/1729705714101/module_128102279083_Global-Header.min.css"></noscript> <style> .header-section, .incidence-section, .login-section, .search-bg, .search-data, .megamenuRepeat { visibility: hidden } </style> <style> body, .blog-post_details-page { background: #17191C; } .hs-blog-post #hs_cos_wrapper_module_16910398984436 .header-two-row { background: #101114; } .hs-blog-post .header-section, body.header-fixed:not(.header-moving) .hs-blog-post .header-section { background: transparent !important; } </style> <style> body.dark-theme .hs-blog-post .module-share-wrapper .share-btn a { background-color: #FFF !important; background: linear-gradient(65deg,#a6ecfc,#a6ecfc 25%,#fff 60%,#fff) !important; } body.light-theme .hs-blog-post .module-share-wrapper .share-btn a, .module-share-wrapper .share-btn a { background: linear-gradient(65deg, #B10C2A 0%, #B10C2A 25%, #17191C 60%, #17191C 100%) !important; background-color: #B10C2A !important; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper { display:flex; flex-flow:row wrap; align-items:center; justify-content:flex-start; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-text { margin-right:36px; font-weight:400; font-size:15px; line-height:150%; color:#000; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-btn { margin-right:26px; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-btn:last-child { margin-right:0; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-btn a { width:40px; height:40px; text-indent:-9999px; overflow:hidden; border-radius:6px; display:block; position:relative; background-repeat:no-repeat; background-size:250% 100% !important; background-position:100% 0 !important; } @media (min-width:992px) { #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-btn a:hover { background-size:100% 100% !important; background-position:100% 0 !important; } } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-btn a::after { position:absolute; top:0; left:0; right:0; bottom:0; content:""; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .copy-link { position:relative; display:flex; justify-content:center; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .copy-link .copied-link { position:absolute; background-color:rgba(213,222,229,1); color:#000; bottom:-50px; padding:8px; border-radius:6px; opacity:0; font-size:12px; white-space:nowrap; transition:opacity ease-in-out 0.3s; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .copy-link.copy-indicator .copied-link { opacity:1; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .copy-link a::after { background:url("data:image/svg+xml,%3Csvg width='18' height='18' viewBox='0 0 18 18' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M9.00016 1.92855L6.87884 4.04988C6.48993 4.43878 6.48993 5.07518 6.87884 5.46409C7.26774 5.853 7.90414 5.853 8.29305 5.46409L10.4144 3.34277C11.5811 2.17604 13.4903 2.17604 14.657 3.34277C15.8237 4.50949 15.8237 6.41868 14.657 7.58541L12.5357 9.70673C12.1468 10.0956 12.1468 10.732 12.5357 11.1209C12.9246 11.5099 13.561 11.5099 13.9499 11.1209L16.0712 8.99962C18.0228 7.04801 18.0228 3.88017 16.0712 1.92855C14.1196 -0.02306 10.9518 -0.0230601 9.00016 1.92855ZM6.17173 11.828C6.56064 12.217 7.19703 12.217 7.58594 11.828L11.8286 7.58541C12.2175 7.1965 12.2175 6.5601 11.8286 6.1712C11.4397 5.78229 10.8033 5.78229 10.4144 6.1712L6.17173 10.4138C5.78282 10.8027 5.78282 11.4391 6.17173 11.828ZM9.70726 12.5352L7.58594 14.6565C6.41922 15.8232 4.51003 15.8232 3.3433 14.6565C2.17658 13.4898 2.17658 11.5806 3.3433 10.4138L5.46462 8.29252C5.85353 7.90361 5.85353 7.26721 5.46462 6.8783C5.07571 6.48939 4.43932 6.48939 4.05041 6.8783L1.92909 8.99962C-0.0225261 10.9512 -0.0225261 14.1191 1.92909 16.0707C3.8807 18.0223 7.04854 18.0223 9.00016 16.0707L11.1215 13.9494C11.5104 13.5605 11.5104 12.9241 11.1215 12.5352C10.7326 12.1462 10.0962 12.1462 9.70726 12.5352Z' fill='white'/%3E%3C/svg%3E%0A") no-repeat center center; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .copy-link.link-copied a { background-color:cyan !important; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-linkedin a::after { background:url("data:image/svg+xml,%3Csvg width='14' height='14' viewBox='0 0 14 14' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M3.17258 4.75635H0.286133V13.7247H3.17258V4.75635Z' fill='white'/%3E%3Cpath d='M1.71237 3.58398C2.65418 3.58398 3.41983 2.8415 3.41983 1.92968C3.41983 1.01787 2.65418 0.275391 1.71237 0.275391C0.770547 0.275391 0.00488281 1.01787 0.00488281 1.92968C0.00488281 2.8415 0.770547 3.58398 1.71237 3.58398Z' fill='white'/%3E%3Cpath d='M7.78885 9.01545C7.78885 7.75193 8.39187 7.00294 9.55051 7.00294C10.6143 7.00294 11.1225 7.72588 11.1225 9.01545V13.7243H13.9953V8.04501C13.9953 5.64173 12.5792 4.48242 10.6007 4.48242C8.62225 4.48242 7.78885 5.96738 7.78885 5.96738V4.75597H5.01758V13.7243H7.78885V9.01545Z' fill='white'/%3E%3C/svg%3E%0A") no-repeat center center; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-x a::after { background:url("data:image/svg+xml,%3Csvg width='16' height='14' viewBox='0 0 16 14' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M0.0436253 0.0131836L6.21741 7.72027L0.00463867 13.9865H1.40288L6.84216 8.50032L11.2369 13.9865H15.9952L9.47408 5.84586L15.2569 0.0131836H13.8586L8.84933 5.06581L4.80191 0.0131836H0.0436253ZM2.09985 0.97478H4.28582L13.9387 13.0247H11.7527L2.09985 0.97478Z' fill='white'/%3E%3C/svg%3E%0A") no-repeat center center; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-facebook a::after { background:url("data:image/svg+xml,%3Csvg width='10' height='16' viewBox='0 0 10 16' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M1.21705 8.5216H2.97091V15.7419C2.97091 15.8845 3.08642 16 3.22897 16H6.2027C6.34525 16 6.46076 15.8845 6.46076 15.7419V8.55561H8.47697C8.60807 8.55561 8.71836 8.45724 8.73333 8.32702L9.03955 5.66885C9.04796 5.59572 9.02479 5.52248 8.97586 5.46761C8.92688 5.4127 8.85679 5.38126 8.78324 5.38126H6.46087V3.71499C6.46087 3.2127 6.73132 2.95799 7.26479 2.95799C7.34082 2.95799 8.78324 2.95799 8.78324 2.95799C8.9258 2.95799 9.04131 2.84243 9.04131 2.69992V0.259974C9.04131 0.117419 8.9258 0.00190968 8.78324 0.00190968H6.6906C6.67584 0.0011871 6.64306 0 6.59475 0C6.23165 0 4.96956 0.0712774 3.97261 0.988439C2.86799 2.0048 3.02154 3.22173 3.05824 3.43272V5.38121H1.21705C1.07449 5.38121 0.958984 5.49672 0.958984 5.63928V8.26348C0.958984 8.40604 1.07449 8.5216 1.21705 8.5216Z' fill='white'/%3E%3C/svg%3E%0A") no-repeat center center; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-rss a::after { background:url("data:image/svg+xml,%3Csvg width='18' height='21' viewBox='0 0 18 21' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M0 2.57143C0 1.86027 0.574554 1.28571 1.28571 1.28571C10.5187 1.28571 18 8.76696 18 18C18 18.7112 17.4254 19.2857 16.7143 19.2857C16.0031 19.2857 15.4286 18.7112 15.4286 18C15.4286 10.1893 9.09643 3.85714 1.28571 3.85714C0.574554 3.85714 0 3.28259 0 2.57143ZM0 16.7143C0 16.0323 0.270918 15.3782 0.753154 14.896C1.23539 14.4138 1.88944 14.1429 2.57143 14.1429C3.25341 14.1429 3.90747 14.4138 4.3897 14.896C4.87194 15.3782 5.14286 16.0323 5.14286 16.7143C5.14286 17.3963 4.87194 18.0503 4.3897 18.5326C3.90747 19.0148 3.25341 19.2857 2.57143 19.2857C1.88944 19.2857 1.23539 19.0148 0.753154 18.5326C0.270918 18.0503 0 17.3963 0 16.7143ZM1.28571 6.42857C7.67813 6.42857 12.8571 11.6076 12.8571 18C12.8571 18.7112 12.2826 19.2857 11.5714 19.2857C10.8603 19.2857 10.2857 18.7112 10.2857 18C10.2857 13.0299 6.2558 9 1.28571 9C0.574554 9 0 8.42545 0 7.71428C0 7.00312 0.574554 6.42857 1.28571 6.42857Z' fill='black'/%3E%3C/svg%3E%0A") no-repeat center center; } @media screen and (max-width:768px) { #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-text { margin-right:24px; font-weight:300; } #hs_cos_wrapper_module_172236034181117 .module-share-wrapper .share-btn { margin-right:20px; } } body:not(.light-theme) .hs-blog-post .module-share-wrapper .share-text, .dark-theme.module-share-wrapper .share-text, body:not(.light-theme).hs-blog-post .module-share-wrapper .copy-link .copied-link, .dark-theme.module-share-wrapper .copy-link .copied-link { color: #FFF !important; } body:not(.light-theme) .hs-blog-post .module-share-wrapper .copy-link .copied-link { background-color: #000 !important; color: #FFF !important; } body:not(.light-theme).hs-blog-post .module-share-wrapper .share-btn a, .dark-theme.module-share-wrapper .share-btn a { background-color: #FFF !important; background: linear-gradient(65deg,#fff,#fff 25%,#a6ecfc 60%,#a6ecfc) !important; } body:not(.light-theme) .hs-blog-post .module-share-wrapper .copy-link a::after, .dark-theme.module-share-wrapper .copy-link a::after { background-image: url("data:image/svg+xml,%3Csvg width='18' height='18' viewBox='0 0 18 18' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M9.00016 1.92855L6.87884 4.04988C6.48993 4.43878 6.48993 5.07518 6.87884 5.46409C7.26774 5.853 7.90414 5.853 8.29305 5.46409L10.4144 3.34277C11.5811 2.17604 13.4903 2.17604 14.657 3.34277C15.8237 4.50949 15.8237 6.41868 14.657 7.58541L12.5357 9.70673C12.1468 10.0956 12.1468 10.732 12.5357 11.1209C12.9246 11.5099 13.561 11.5099 13.9499 11.1209L16.0712 8.99962C18.0228 7.04801 18.0228 3.88017 16.0712 1.92855C14.1196 -0.02306 10.9518 -0.0230601 9.00016 1.92855ZM6.17173 11.828C6.56064 12.217 7.19703 12.217 7.58594 11.828L11.8286 7.58541C12.2175 7.1965 12.2175 6.5601 11.8286 6.1712C11.4397 5.78229 10.8033 5.78229 10.4144 6.1712L6.17173 10.4138C5.78282 10.8027 5.78282 11.4391 6.17173 11.828ZM9.70726 12.5352L7.58594 14.6565C6.41922 15.8232 4.51003 15.8232 3.3433 14.6565C2.17658 13.4898 2.17658 11.5806 3.3433 10.4138L5.46462 8.29252C5.85353 7.90361 5.85353 7.26721 5.46462 6.8783C5.07571 6.48939 4.43932 6.48939 4.05041 6.8783L1.92909 8.99962C-0.0225261 10.9512 -0.0225261 14.1191 1.92909 16.0707C3.8807 18.0223 7.04854 18.0223 9.00016 16.0707L11.1215 13.9494C11.5104 13.5605 11.5104 12.9241 11.1215 12.5352C10.7326 12.1462 10.0962 12.1462 9.70726 12.5352Z' fill='black'/%3E%3C/svg%3E%0A") !important; } body:not(.light-theme) .hs-blog-post .module-share-wrapper .share-linkedin a::after, .dark-theme.module-share-wrapper .share-linkedin a::after { background-image: url("data:image/svg+xml,%3Csvg width='14' height='14' viewBox='0 0 14 14' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M3.17258 4.75635H0.286133V13.7247H3.17258V4.75635Z' fill='black'/%3E%3Cpath d='M1.71237 3.58398C2.65418 3.58398 3.41983 2.8415 3.41983 1.92968C3.41983 1.01787 2.65418 0.275391 1.71237 0.275391C0.770547 0.275391 0.00488281 1.01787 0.00488281 1.92968C0.00488281 2.8415 0.770547 3.58398 1.71237 3.58398Z' fill='black'/%3E%3Cpath d='M7.78885 9.01545C7.78885 7.75193 8.39187 7.00294 9.55051 7.00294C10.6143 7.00294 11.1225 7.72588 11.1225 9.01545V13.7243H13.9953V8.04501C13.9953 5.64173 12.5792 4.48242 10.6007 4.48242C8.62225 4.48242 7.78885 5.96738 7.78885 5.96738V4.75597H5.01758V13.7243H7.78885V9.01545Z' fill='black'/%3E%3C/svg%3E%0A") !important; } body:not(.light-theme) .hs-blog-post .module-share-wrapper .share-x a::after, .dark-theme.module-share-wrapper .share-x a::after { background-image: url("data:image/svg+xml,%3Csvg width='16' height='14' viewBox='0 0 16 14' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M0.0436253 0.0131836L6.21741 7.72027L0.00463867 13.9865H1.40288L6.84216 8.50032L11.2369 13.9865H15.9952L9.47408 5.84586L15.2569 0.0131836H13.8586L8.84933 5.06581L4.80191 0.0131836H0.0436253ZM2.09985 0.97478H4.28582L13.9387 13.0247H11.7527L2.09985 0.97478Z' fill='black'/%3E%3C/svg%3E%0A") !important; } body:not(.light-theme) .hs-blog-post .module-share-wrapper .share-facebook a::after, .dark-theme.module-share-wrapper .share-facebook a::after { background-image: url("data:image/svg+xml,%3Csvg width='10' height='16' viewBox='0 0 10 16' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M1.21705 8.5216H2.97091V15.7419C2.97091 15.8845 3.08642 16 3.22897 16H6.2027C6.34525 16 6.46076 15.8845 6.46076 15.7419V8.55561H8.47697C8.60807 8.55561 8.71836 8.45724 8.73333 8.32702L9.03955 5.66885C9.04796 5.59572 9.02479 5.52248 8.97586 5.46761C8.92688 5.4127 8.85679 5.38126 8.78324 5.38126H6.46087V3.71499C6.46087 3.2127 6.73132 2.95799 7.26479 2.95799C7.34082 2.95799 8.78324 2.95799 8.78324 2.95799C8.9258 2.95799 9.04131 2.84243 9.04131 2.69992V0.259974C9.04131 0.117419 8.9258 0.00190968 8.78324 0.00190968H6.6906C6.67584 0.0011871 6.64306 0 6.59475 0C6.23165 0 4.96956 0.0712774 3.97261 0.988439C2.86799 2.0048 3.02154 3.22173 3.05824 3.43272V5.38121H1.21705C1.07449 5.38121 0.958984 5.49672 0.958984 5.63928V8.26348C0.958984 8.40604 1.07449 8.5216 1.21705 8.5216Z' fill='black'/%3E%3C/svg%3E%0A") !important; } </style> <link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/170112427927/1729114022610/module_170112427927_promotional-interrupter.min.css"> <style> #hs_cos_wrapper_module_17228780589192 .blog_interruptor { padding:32px 0; margin:40px 0; display:flex; gap:64px; justify-content:space-between; } #hs_cos_wrapper_module_17228780589192 .blog_interruptor .blog-interrupter_content, #hs_cos_wrapper_module_17228780589192 .blog_interruptor .blog-interrupter_content * { font-weight:300; font-size:26px; line-height:130%; letter-spacing:-0.01em; flex:1; } #hs_cos_wrapper_module_17228780589192 .blog_interruptor a.btn-solid { color:white !important; } #hs_cos_wrapper_module_17228780589192 .blog_interruptor a { text-decoration:none !important; min-width:fit-content; font-size:18px !important; line-height:120% !important; letter-spacing:-0.01em !important; } @media (max-width:1024px) { #hs_cos_wrapper_module_17228780589192 .blog_interruptor { padding:48px 0 45px; margin:40px 0; gap:30px; justify-content:space-between; flex-direction:column; align-items:flex-start; border-top:0; background-image:url("data:image/svg+xml,%3Csvg width='375' height='213' viewBox='0 0 375 213' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Crect width='375' height='213' transform='translate(0 0.000976562)' fill='url(%23paint0_radial_66_5534)'/%3E%3Cdefs%3E%3CradialGradient id='paint0_radial_66_5534' cx='0' cy='0' r='1' gradientUnits='userSpaceOnUse' gradientTransform='translate(187 -0.00169004) scale(188 248.721)'%3E%3Cstop offset='0.3' stop-color='%23EFFCFF'/%3E%3Cstop offset='0.9' stop-color='white'/%3E%3C/radialGradient%3E%3C/defs%3E%3C/svg%3E%0A"); background-position:top center; background-repeat:no-repeat; position:relative; } #hs_cos_wrapper_module_17228780589192 .blog_interruptor::before { height:1px; width:100%; background:#000; content:""; position:absolute; top:16px; left:0; } #hs_cos_wrapper_module_17228780589192 .blog_interruptor span { font-size:20px; line-height:130%; } } /* Blog Interruptor Styles */ /* Dark Theme */ body.dark-theme .blog_interruptor { border-top: 1px solid #fff; border-bottom: 1px solid #fff; } body.dark-theme .blog_interruptor::before { background: #FFF !important; } body.dark-theme .blog_interruptor .blog-interrupter_content, body.dark-theme .blog_interruptor .blog-interrupter_content * { color: #FFFFFF; } body.dark-theme .blog_interruptor a::after { background-image: url("data:image/svg+xml,%3Csvg width='15' height='16' viewBox='0 0 15 16' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath fill-rule='evenodd' clip-rule='evenodd' d='M7.14645 0.646447C7.34171 0.451184 7.65829 0.451184 7.85355 0.646447L14.8536 7.64645C14.9473 7.74021 15 7.86739 15 8C15 8.13261 14.9473 8.25979 14.8536 8.35355L7.85355 15.3536C7.65829 15.5488 7.34171 15.5488 7.14645 15.3536C6.95118 15.1583 6.95118 14.8417 7.14645 14.6464L13.2929 8.5H0.5C0.223858 8.5 0 8.27614 0 8C0 7.72386 0.223858 7.5 0.5 7.5H13.2929L7.14645 1.35355C6.95118 1.15829 6.95118 0.841709 7.14645 0.646447Z' fill='white'/%3E%3C/svg%3E%0A") } body.dark-theme .blog_interruptor a:hover::after { background-image: url("data:image/svg+xml,%3Csvg width='17' height='16' viewBox='0 0 17 16' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath fill-rule='evenodd' clip-rule='evenodd' d='M8.5848 0.646447C8.78006 0.451184 9.09665 0.451184 9.29191 0.646447L16.2919 7.64645C16.3857 7.74021 16.4384 7.86739 16.4384 8C16.4384 8.13261 16.3857 8.25979 16.2919 8.35355L9.29191 15.3536C9.09665 15.5488 8.78006 15.5488 8.5848 15.3536C8.38954 15.1583 8.38954 14.8417 8.5848 14.6464L14.7312 8.5H1.93835C1.66221 8.5 1.43835 8.27614 1.43835 8C1.43835 7.72386 1.66221 7.5 1.93835 7.5H14.7312L8.5848 1.35355C8.38954 1.15829 8.38954 0.841709 8.5848 0.646447Z' fill='white' stroke='white' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E%0A") } @media (max-width: 1024px) { body.dark-theme .blog_interruptor { background-image: url("data:image/svg+xml,%3Csvg width='311' height='205' viewBox='0 0 311 205' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Crect width='311' height='204' transform='translate(0 0.80249)' fill='url(%23paint0_radial_2076_9767)' fill-opacity='0.8'/%3E%3Cdefs%3E%3CradialGradient id='paint0_radial_2076_9767' cx='0' cy='0' r='1' gradientUnits='userSpaceOnUse' gradientTransform='translate(155.085 -0.00161863) scale(155.915 238.211)'%3E%3Cstop stop-color='%23790016'/%3E%3Cstop offset='0.9' stop-color='%2317191C'/%3E%3C/radialGradient%3E%3C/defs%3E%3C/svg%3E%0A") !important; } } </style> <link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/174286900499/1732208583930/module_174286900499_blog-featured-resources.min.css"> <link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/170221997576/1727346015970/module_170221997576_related-offerings.min.css"> <style> #hs_cos_wrapper_module_17225404242263 .related-offerings { display:flex; justify-content:flex-start; align-items:flex-start; flex-wrap:wrap; column-gap:60px; } #hs_cos_wrapper_module_17225404242263 .related-offerings h3 { margin-top:3px; margin-bottom:0; font-weight:200; font-size:32px; } #hs_cos_wrapper_module_17225404242263 .btn-m.btn.btn-outline.btn-white.btn-outline-1.text-dark.fill-dark.btn-icon-back { padding:16px 13px; width:fit-content; font-size:16px; } @media (max-width:1280px) { #hs_cos_wrapper_module_17225404242263 .related-offerings { align-items:start; flex-wrap:wrap; } #hs_cos_wrapper_module_17225404242263 .related-offerings h3 { margin-top:0; font-size:26px; } } @media (max-width:767px) { #hs_cos_wrapper_module_17225404242263 .related-offerings { flex-direction:column; } #hs_cos_wrapper_module_17225404242263 .related-offerings h3 { margin-top:0; margin-bottom:40px; font-size:22px; } #hs_cos_wrapper_module_17225404242263 .btn-m.btn.btn-outline.btn-white.btn-outline-1.text-dark.fill-dark.btn-icon-back { padding:16px 13px; width:calc(100vw - 64px); max-width:650px; } } </style> <link class="hs-async-css" rel="preload" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/128101228672/1730829013313/module_128101228672_Global-Footer.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/128101228672/1730829013313/module_128101228672_Global-Footer.min.css"></noscript> <style> @font-face { font-family: "Inter"; font-weight: 200; font-style: normal; font-display: swap; src: url("/_hcms/googlefonts/Inter/200.woff2") format("woff2"), url("/_hcms/googlefonts/Inter/200.woff") format("woff"); } @font-face { font-family: "Inter"; font-weight: 500; font-style: normal; font-display: swap; src: url("/_hcms/googlefonts/Inter/500.woff2") format("woff2"), url("/_hcms/googlefonts/Inter/500.woff") format("woff"); } @font-face { font-family: "Inter"; font-weight: 400; font-style: normal; font-display: swap; src: url("/_hcms/googlefonts/Inter/regular.woff2") format("woff2"), url("/_hcms/googlefonts/Inter/regular.woff") format("woff"); } @font-face { font-family: "Inter"; font-weight: 700; font-style: normal; font-display: swap; src: url("/_hcms/googlefonts/Inter/700.woff2") format("woff2"), url("/_hcms/googlefonts/Inter/700.woff") format("woff"); } </style> <script type="application/ld+json"> { "mainEntityOfPage" : { "@type" : "WebPage", "@id" : "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/" }, "author" : { "@type" : "Person" }, "headline" : "Analyzing Malware Hollow Processes", "datePublished" : "2011-05-16T12:36:00.000Z", "dateModified" : "2023-11-28T12:36:29.012Z", "publisher" : { "name" : "Trustwave Holdings, Inc.", "logo" : { "url" : "https://www.trustwave.com/hubfs/tw_logo_default.png", "@type" : "ImageObject" }, "@type" : "Organization" }, "@context" : "https://schema.org", "@type" : "BlogPosting" } </script> <!-- Added by GoogleTagManager integration --> <script> var _hsp = window._hsp = window._hsp || []; window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} var useGoogleConsentModeV2 = true; var waitForUpdateMillis = 1000; var hsLoadGtm = function loadGtm() { if(window._hsGtmLoadOnce) { return; } if (useGoogleConsentModeV2) { gtag('set','developer_id.dZTQ1Zm',true); gtag('consent', 'default', { 'ad_storage': 'denied', 'analytics_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': waitForUpdateMillis }); _hsp.push(['useGoogleConsentModeV2']) } (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-54M2ZJN'); window._hsGtmLoadOnce = true; }; _hsp.push(['addPrivacyConsentListener', function(consent){ if(consent.allowed || (consent.categories && consent.categories.analytics)){ hsLoadGtm(); } }]); </script> <!-- /Added by GoogleTagManager integration --> <script> // Check if the URL matches one of the allowed URLs const isValidUrl = ["www.info.trustwave.com", "www.trustwave.com"].includes(window.location.hostname); // Check if any of the specified query strings are present in the URL const isQueryStringPresent = ["hsDebug", "hs_preview", "utm_TrafficCategory"].some(query => new URLSearchParams(window.location.search).has(query) ); if (isValidUrl && !isQueryStringPresent) { // Google Analytics script (function () { var gaScript = document.createElement('script'); gaScript.async = true; gaScript.src = 'https://www.googletagmanager.com/gtag/js?id=G-DP8B111F8E'; document.head.appendChild(gaScript); window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.push(arguments); } gtag('js', new Date()); gtag('config', 'G-DP8B111F8E'); })(); } </script> <link rel="amphtml" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/?hs_amp=true"> <meta property="og:url" content="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/"> <meta name="twitter:card" content="summary"> <link rel="canonical" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/"> <meta property="twitter:card" content="summary_large_image"> <meta name="twitter:image" content="https://www.trustwave.com/hubfs/Web/Defaults/sl-socialmedia-header.jpg"> <meta property="og:image" content="https://www.trustwave.com/hubfs/Web/Defaults/sl-socialmedia-header.jpg"> <meta property="og:image:type" content="image/jpg"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="630"> <meta property="og:type" content="article"> <link rel="alternate" type="application/rss+xml" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rss.xml"> <meta name="twitter:domain" content="www.trustwave.com"> <meta name="twitter:site" content="@SpiderLabs"> <script src="//platform.linkedin.com/in.js" type="text/javascript"> lang: en_US </script> <meta http-equiv="content-language" content="en-us"> <!-- Facebook Meta Tags --> <meta property="og:url" content="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/"> <meta property="og:type" content="website"> <meta property="og:title" content="Analyzing Malware Hollow Processes"> <meta property="og:description" content="The Malware Analyst's Cookbook is a great book. In it the authors talked about an interesting technique they called 'process hollowing'. When I read about it, I was intrigued and played around a bit with the examples from the book.... "> <meta property="og:image" content="https://www.trustwave.com/hubfs/Web/General/metadata.jpg"> <!-- Twitter Meta Tags --> <meta name="twitter:card" content="summary_large_image"> <meta property="twitter:domain" content="trustwave.com"> <meta property="twitter:url" content="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/"> <meta name="twitter:title" content="Analyzing Malware Hollow Processes"> <meta name="twitter:description" content="The Malware Analyst's Cookbook is a great book. In it the authors talked about an interesting technique they called 'process hollowing'. When I read about it, I was intrigued and played around a bit with the examples from the book.... "> <meta name="twitter:image" content="https://www.trustwave.com/hubfs/Web/General/metadata.jpg"> <meta name="generator" content="HubSpot"></head> <body class="template-header-default" id="147572829488"> <!-- Added by GoogleTagManager integration --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-54M2ZJN" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- /Added by GoogleTagManager integration --> <div class="body-wrapper hs-content-id-147572829488 hs-blog-post hs-blog-id-123670301864"> <div id="hs_cos_wrapper_module_16910398984436" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="header-section"> <div class="header-two-row"> <div class="container site-content"> <div class="header-first-row"> <div class="first-two-col"> <div class="f-left"> <div class="f-left-inr"> <div class="icon-two-col"> <div class="icon-left-q"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="24px" height="24px" viewbox="0 0 24 24" enable-background="new 0 0 24 24" xml:space="preserve"> <g> <path fill="#ED1A3D" d="M12,0c6.6,0,12,5.4,12,12c0,6.6-5.4,12-12,12C5.3,24,0,18.6,0,12C0,5.4,5.4,0,12,0z M21.6,12 c0-5.3-4.3-9.6-9.6-9.6c-5.3,0-9.6,4.3-9.6,9.6c0,5.3,4.3,9.6,9.6,9.6C17.3,21.6,21.6,17.3,21.6,12z" /> <path fill="#ED1A3D" d="M10.8,10.2c0-1,0-2,0-3c0-0.6,0.4-1.1,1.1-1.2c0.6-0.1,1.1,0.3,1.3,0.8c0,0.1,0.1,0.2,0.1,0.4c0,2,0,4,0,6 c0,0.6-0.4,1.1-1,1.2c-0.5,0.1-1.1-0.3-1.3-0.8c-0.1-0.2-0.1-0.3-0.1-0.5C10.8,12.1,10.8,11.2,10.8,10.2 C10.8,10.2,10.8,10.2,10.8,10.2z" /> <path fill="#ED1A3D" d="M13.2,16.8c0,0.7-0.5,1.2-1.2,1.2c-0.7,0-1.2-0.5-1.2-1.2c0-0.7,0.5-1.2,1.2-1.2 C12.7,15.6,13.2,16.1,13.2,16.8z" /> </g> </svg> </div> <div class="icon-right-q"> <div class="i-content-right"> <p style="margin-top: 10px;">Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. <a href="https://www.trustwave.com/en-us/company/newsroom/news/trustwave-and-cybereason-merge-to-form-global-mdr-powerhouse-for-unparalleled-cybersecurity-value/" rel="noopener" target="_blank">Learn More</a></p> <input id="hippowiz-ass-injected" type="hidden" value="true"><input id="hvmessage-toextension-listener" type="hidden" value="none"> </div> </div> </div> </div> </div> <div class="f-right"> <div class="f-r-inr"> <div class="f-list-items"> <ul> <li> <a href="https://www.trustwave.com/en-us/company/contact/">Contact Us </a> </li> <li> <a href="javascript:void(0)">Login </a> <div class="login-wrapper"> <div class="login-section"> <div class="login-sec-inr"> <div class="login-two-row"> <div class="login-f-row"> <div class="log-logo"> <img src="https://www.trustwave.com/hubfs/fusion-logo-color-1.svg" alt="fusion-logo-color-1" loading="lazy" width="300" height="96" style="max-width: 100%; height: auto;"> </div> <div class="login-link-buton"> <a href="https://fusion.trustwave.com/">Fusion Platform Login </a> </div> <div class="what-link"> <a href="https://www.trustwave.com/en-us/company/about-us/trustwave-fusion-platform/">What is the Trustwave Fusion Platform? </a> </div> </div> <div class="login-s-row"> <div class="login-last-bnt"> <a href="https://console.us.mailmarshal.cloud/">MailMarshal Cloud Login </a> </div> </div> </div> </div> </div> </div> </li> <li> <a href="javascript:void(0)">Incident Response </a> <div class="incidence-section"> <div class="incidence-sec-inr"> <div class="indic-two-row"> <div class="indic-f-row"> <div class="indics-title"> <h6> Experiencing a security breach? </h6> </div> <div class="indics-content"> <p>Get access to immediate incident response assistance.</p> </div> <div class="hotline-title"> 24 HOUR HOTLINES </div> </div> <div class="indic-sec-row"> <div class="hot-item-link"> <ul> <li> <span> AMERICAS </span> <span> <a href="tel:+1%20855%20438%204305">+1 855 438 4305 </a> </span> </li> <li> <span> EMEA </span> <span> <a href="tel:+44%208081687370">+44 8081687370 </a> </span> </li> <li> <span> AUSTRALIA </span> <span> <a href="tel:+61%201300901211">+61 1300901211 </a> </span> </li> <li> <span> SINGAPORE </span> <span> <a href="tel:+65%2068175019">+65 68175019 </a> </span> </li> </ul> </div> <div class="indic-last-col"> <a href="https://www.trustwave.com/en-us/company/contact/security-breach/">Recommended Actions </a> </div> </div> </div> </div> </div> </li> </ul> </div> </div> </div> </div> </div> </div> </div> <div class="header-second-row"> <div class="container site-content"> <div class="header-sec-inr"> <div class="header-three-col"> <div class="header-left"> <div class="header-logo header-normal"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_logo" style="" data-hs-cos-general-type="widget" data-hs-cos-type="logo"><a href="//www.trustwave.com" id="hs-link-module_16910398984436_" style="border-width:0px;border:0px;"><img src="https://www.trustwave.com/hs-fs/hubfs/Web/Logos/trustwave-logo-white.png?width=300&amp;height=43&amp;name=trustwave-logo-white.png" class="hs-image-widget " height="43" style="height: auto;width:300px;border-width:0px;border:0px;" width="300" alt="trustwave-logo-white-2" title="trustwave-logo-white-2" loading="" srcset="https://www.trustwave.com/hs-fs/hubfs/Web/Logos/trustwave-logo-white.png?width=150&amp;height=22&amp;name=trustwave-logo-white.png 150w, https://www.trustwave.com/hs-fs/hubfs/Web/Logos/trustwave-logo-white.png?width=300&amp;height=43&amp;name=trustwave-logo-white.png 300w, https://www.trustwave.com/hs-fs/hubfs/Web/Logos/trustwave-logo-white.png?width=450&amp;height=65&amp;name=trustwave-logo-white.png 450w, https://www.trustwave.com/hs-fs/hubfs/Web/Logos/trustwave-logo-white.png?width=600&amp;height=86&amp;name=trustwave-logo-white.png 600w, https://www.trustwave.com/hs-fs/hubfs/Web/Logos/trustwave-logo-white.png?width=750&amp;height=108&amp;name=trustwave-logo-white.png 750w, https://www.trustwave.com/hs-fs/hubfs/Web/Logos/trustwave-logo-white.png?width=900&amp;height=129&amp;name=trustwave-logo-white.png 900w" sizes="(max-width: 300px) 100vw, 300px"></a></span> </div> <div class="header-logo header-sticky" style="display: none;"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_logo" style="" data-hs-cos-general-type="widget" data-hs-cos-type="logo"><a href="//www.trustwave.com" id="hs-link-module_16910398984436_" style="border-width:0px;border:0px;"><img src="https://www.trustwave.com/hubfs/trustwave-logo-color.svg" class="hs-image-widget " height="330" style="height: auto;width:2287px;border-width:0px;border:0px;" width="2287" alt="trustwave-logo-color" title="trustwave-logo-color" loading=""></a></span> </div> </div> <div class="header-middle-sec"> <div class="open-menu"> <a href="javascript:%20void(0)" class="expandMenu"> <i></i> <i></i> <i></i> </a> </div> <div class="bodyclass"> <div class="headernavigation"> <div class="header-main-clswq"> <div class="mobile-menu-s"> <div class="m-first-cols"> <div class="m-left-u"> <div class="m-logo"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_logo" style="" data-hs-cos-general-type="widget" data-hs-cos-type="logo"><a href="//www.trustwave.com" id="hs-link-module_16910398984436_" style="border-width:0px;border:0px;"><img src="https://www.trustwave.com/hubfs/trustwave-logo-color.svg" class="hs-image-widget " height="330" style="height: auto;width:2287px;border-width:0px;border:0px;" width="2287" alt="trustwave-logo-color" title="trustwave-logo-color" loading=""></a></span> </div> </div> <div class="m-right-u"> <div class="m-close-icon"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path d="m12 10.93 5.719-5.72c.146-.146.339-.219.531-.219.404 0 .75.324.75.749 0 .193-.073.385-.219.532l-5.72 5.719 5.719 5.719c.147.147.22.339.22.531 0 .427-.349.75-.75.75-.192 0-.385-.073-.531-.219l-5.719-5.719-5.719 5.719c-.146.146-.339.219-.531.219-.401 0-.75-.323-.75-.75 0-.192.073-.384.22-.531l5.719-5.719-5.72-5.719c-.146-.147-.219-.339-.219-.532 0-.425.346-.749.75-.749.192 0 .385.073.531.219z" /></svg> </div> </div> </div> <div class="reques-demo"> <div class="search-right"> <div class="demo-link"> <a href="#navdemo-form">Request a Demo </a> </div> </div> </div> </div> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch no-flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="default" data-menu-id="128102089380" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="javascript:;" role="menuitem">Services</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="javascript:;" role="menuitem">Solutions</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="javascript:;" role="menuitem">Why Trustwave</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="javascript:;" role="menuitem">Partners</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="javascript:;" role="menuitem">Resources</a></li> </ul> </div></span> <div class="mobile-bottom-s"> <div class="mobile-indicies"> <div class="bottom-list"> <ul> <li> <a href="https://www.trustwave.com/en-us/company/contact/">Contact Us </a> </li> <li class="login-megamenu-u"> <a href="javascript:void(0)">Login </a> <div class="login-section"> <div class="back-to-login"> <span class="login-arrow arrow-global"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="#ffffff" d="m9.474 5.209s-4.501 4.505-6.254 6.259c-.147.146-.22.338-.22.53s.073.384.22.53c1.752 1.754 6.252 6.257 6.252 6.257.145.145.336.217.527.217.191-.001.383-.074.53-.221.293-.293.294-.766.004-1.057l-4.976-4.976h14.692c.414 0 .75-.336.75-.75s-.336-.75-.75-.75h-14.692l4.978-4.979c.289-.289.287-.761-.006-1.054-.147-.147-.339-.221-.53-.221-.191-.001-.38.071-.525.215z" fill-rule="nonzero" /></svg> </span> <span>login</span> </div> <div class="login-sec-inr"> <div class="login-two-row"> <div class="login-f-row"> <div class="log-logo"> <img src="https://www.trustwave.com/hubfs/fusion-logo-color-1.svg" alt="fusion-logo-color-1" loading="lazy" width="300" height="96" style="max-width: 100%; height: auto;"> </div> <div class="login-link-buton"> <a href="https://fusion.trustwave.com/">Fusion Platform Login </a> </div> <div class="what-link"> <a href="https://www.trustwave.com/en-us/company/about-us/trustwave-fusion-platform/">What is the Trustwave Fusion Platform? </a> </div> </div> <div class="login-s-row"> <div class="login-last-bnt"> <a href="https://console.us.mailmarshal.cloud/">MailMarshal Cloud Login </a> </div> </div> </div> </div> </div> </li> <li class="indices-menu"> <a href="javascript:void(0)">Incident Response </a> <div class="incidence-section"> <div class="indic-backmenu"> <span class="login-arrow arrow-global"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="#ffffff" d="m9.474 5.209s-4.501 4.505-6.254 6.259c-.147.146-.22.338-.22.53s.073.384.22.53c1.752 1.754 6.252 6.257 6.252 6.257.145.145.336.217.527.217.191-.001.383-.074.53-.221.293-.293.294-.766.004-1.057l-4.976-4.976h14.692c.414 0 .75-.336.75-.75s-.336-.75-.75-.75h-14.692l4.978-4.979c.289-.289.287-.761-.006-1.054-.147-.147-.339-.221-.53-.221-.191-.001-.38.071-.525.215z" fill-rule="nonzero" /></svg> </span> <span> Incident Response</span> </div> <div class="incidence-sec-inr"> <div class="indic-two-row"> <div class="indic-f-row"> <div class="indics-title"> <h6> Experiencing a security breach? </h6> </div> <div class="indics-content"> <p>Get access to immediate incident response assistance.</p> </div> <div class="hotline-title"> 24 HOUR HOTLINES </div> </div> <div class="indic-sec-row"> <div class="hot-item-link"> <ul> <li> <span> AMERICAS </span> <span> <a href="tel:+1%20855%20438%204305">+1 855 438 4305 </a> </span> </li> <li> <span> EMEA </span> <span> <a href="tel:+44%208081687370">+44 8081687370 </a> </span> </li> <li> <span> AUSTRALIA </span> <span> <a href="tel:+61%201300901211">+61 1300901211 </a> </span> </li> <li> <span> SINGAPORE </span> <span> <a href="tel:+65%2068175019">+65 68175019 </a> </span> </li> </ul> </div> <div class="indic-last-col"> <a href="https://www.trustwave.com/en-us/company/contact/security-breach/">Recommended Actions </a> </div> </div> </div> </div> </div> </li> <li class="form-s"> <form action="/search-results"> <input id="search" value="" type="text" class="form-control" name="q" placeholder="Search trustwave.com" autocomplete="off"> </form> </li> </ul> </div> <div class="last-cols"> <div class="icon-s"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="24px" height="24px" viewbox="0 0 24 24" enable-background="new 0 0 24 24" xml:space="preserve"> <g> <path fill="#ED1A3D" d="M12,0c6.6,0,12,5.4,12,12c0,6.6-5.4,12-12,12C5.3,24,0,18.6,0,12C0,5.4,5.4,0,12,0z M21.6,12 c0-5.3-4.3-9.6-9.6-9.6c-5.3,0-9.6,4.3-9.6,9.6c0,5.3,4.3,9.6,9.6,9.6C17.3,21.6,21.6,17.3,21.6,12z" /> <path fill="#ED1A3D" d="M10.8,10.2c0-1,0-2,0-3c0-0.6,0.4-1.1,1.1-1.2c0.6-0.1,1.1,0.3,1.3,0.8c0,0.1,0.1,0.2,0.1,0.4c0,2,0,4,0,6 c0,0.6-0.4,1.1-1,1.2c-0.5,0.1-1.1-0.3-1.3-0.8c-0.1-0.2-0.1-0.3-0.1-0.5C10.8,12.1,10.8,11.2,10.8,10.2 C10.8,10.2,10.8,10.2,10.8,10.2z" /> <path fill="#ED1A3D" d="M13.2,16.8c0,0.7-0.5,1.2-1.2,1.2c-0.7,0-1.2-0.5-1.2-1.2c0-0.7,0.5-1.2,1.2-1.2 C12.7,15.6,13.2,16.1,13.2,16.8z" /> </g> </svg> </div> <div class="last-content"> <p style="margin-top: 10px;">Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. <a href="https://www.trustwave.com/en-us/company/newsroom/news/trustwave-and-cybereason-merge-to-form-global-mdr-powerhouse-for-unparalleled-cybersecurity-value/" rel="noopener" target="_blank">Learn More</a></p> <input id="hippowiz-ass-injected" type="hidden" value="true"><input id="hvmessage-toextension-listener" type="hidden" value="none"> </div> </div> </div> </div> </div> </div> </div> </div> <div class="header-right-sq"> <div class="request-two-col"> <div class="search-left"> <div class="search-s"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="24px" height="24px" viewbox="0 0 24 24" enable-background="new 0 0 24 24" xml:space="preserve"> <path fill="#fff" d="M23.6,21.9l-4.4-4.4c1.5-1.8,2.4-4.2,2.4-6.7c0-6-4.8-10.8-10.8-10.8S0,4.8,0,10.8s4.8,10.8,10.8,10.8 c2.5,0,4.9-0.9,6.7-2.4l4.4,4.4c0.2,0.2,0.5,0.3,0.9,0.3s0.6-0.1,0.9-0.3C24.1,23.2,24.1,22.4,23.6,21.9z M2.4,10.8 c0-4.6,3.8-8.4,8.4-8.4s8.4,3.8,8.4,8.4c0,2.3-0.9,4.3-2.4,5.9c0,0.1-0.1,0.1-0.2,0.2c-1.5,1.5-3.6,2.4-5.9,2.4 C6.2,19.2,2.4,15.4,2.4,10.8z"></path> </svg> </div> <div class="search-bg"> <div class="search-data"> <div class="search-d-inr"> <form action="/search-results"> <input id="search" value="" type="text" class="form-control" name="q" placeholder="Search trustwave.com" autocomplete="off"> </form> </div> </div> </div> </div> <div class="search-right"> <div class="demo-link"> <a href="#navdemo-form">Request a Demo </a> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div class="newPopupBoxSecSearch module_16910398984436" id="popupBox"> <div class="newPopupBoxTable"> <div class="newPopupBoxTableCell"> <div class="popupBoxSearchBox"> <a href="javascript:void(0)" class="searchPopClose"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" x="0px" y="0px" viewbox="0 0 512.001 512.001" style="enable-background:new 0 0 512.001 512.001;" xml:space="preserve"> <g> <path d="M284.286,256.002L506.143,34.144c7.811-7.811,7.811-20.475,0-28.285c-7.811-7.81-20.475-7.811-28.285,0L256,227.717 L34.143,5.859c-7.811-7.811-20.475-7.811-28.285,0c-7.81,7.811-7.811,20.475,0,28.285l221.857,221.857L5.858,477.859 c-7.811,7.811-7.811,20.475,0,28.285c3.905,3.905,9.024,5.857,14.143,5.857c5.119,0,10.237-1.952,14.143-5.857L256,284.287 l221.857,221.857c3.905,3.905,9.024,5.857,14.143,5.857s10.237-1.952,14.143-5.857c7.811-7.811,7.811-20.475,0-28.285 L284.286,256.002z"></path> </g> </svg> </a> </div> <div class="download-casestudy-in"> <div class="casestudy-main-cl"> <div class="download-form"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_677305598_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3> <div id="hs_form_target_form_677305598"></div> </span> </div> </div> </div> </div> </div> </div> <div class="megamenu"> <div class="service-section megamenuRepeat" data-id="1"> <div class="service-sec-inr overlayclr"> <div class="back-menu-m service-back"> <div class="arrows-q"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="#ffffff" d="m9.474 5.209s-4.501 4.505-6.254 6.259c-.147.146-.22.338-.22.53s.073.384.22.53c1.752 1.754 6.252 6.257 6.252 6.257.145.145.336.217.527.217.191-.001.383-.074.53-.221.293-.293.294-.766.004-1.057l-4.976-4.976h14.692c.414 0 .75-.336.75-.75s-.336-.75-.75-.75h-14.692l4.978-4.979c.289-.289.287-.761-.006-1.054-.147-.147-.339-.221-.53-.221-.191-.001-.38.071-.525.215z" fill-rule="nonzero"></path></svg> </div> <span>Services</span> </div> <div class="service-cols"> <div class="service-box"> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="https://www.trustwave.com/en-us/services/managed-detection-and-response/"></a> <div class="manage-title"> Managed Detection &amp; Response </div> <div class="manage-content"> <p>Eliminate active threats with 24/7 threat detection, investigation, and response.</p> </div> </div> </div> </div> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="/en-us/services/co-managed-soc/"></a> <div class="manage-title"> Co-Managed SOC (SIEM) </div> <div class="manage-content"> <p>Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.</p> </div> </div> </div> </div> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="https://www.trustwave.com/en-us/services/consulting-and-professional-services/"></a> <div class="manage-title"> Advisory &amp; Diagnostics </div> <div class="manage-content"> <p>Advance your cybersecurity program and get expert guidance where you need it most.</p> </div> </div> </div> </div> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="https://www.trustwave.com/en-us/services/penetration-testing/"></a> <div class="manage-title"> Penetration Testing </div> <div class="manage-content"> <p>Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.</p> </div> </div> </div> </div> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="https://www.trustwave.com/en-us/services/database-security/"></a> <div class="manage-title"> Database Security </div> <div class="manage-content"> <p>Prevent unauthorized access and exceed compliance requirements.</p> </div> </div> </div> </div> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="https://www.trustwave.com/en-us/services/email-security/"></a> <div class="manage-title"> Email Security </div> <div class="manage-content"> <p>Stop email threats others miss and secure your organization against the #1 ransomware attack vector.</p> </div> </div> </div> </div> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="https://www.trustwave.com/en-us/services/consulting-and-professional-services/digital-forensics-and-incident-response/"></a> <div class="manage-title"> Digital Forensics &amp; Incident Response </div> <div class="manage-content"> <p>Prepare for the inevitable with 24/7 global breach response in-region and available on-site.</p> </div> </div> </div> </div> <div class="service-box-inr"> <div class="manage-two-col"> <div class="manage-right"> <a href="https://www.trustwave.com/en-us/services/managed-security-services/firewall-and-technology-management/"></a> <div class="manage-title"> Firewall &amp; Technology Management </div> <div class="manage-content"> <p>Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.</p> </div> </div> </div> </div> </div> <div class="view-all-s"> <a href="https://www.trustwave.com/en-us/services/">View All Trustwave Services </a> </div> </div> </div> </div> <div class="solution-section megamenuRepeat" data-id="2"> <div class="solution-sec-inr overlayclr"> <div class="back-menu-m solution-back"> <div class="arrows-q"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="#ffffff" d="m9.474 5.209s-4.501 4.505-6.254 6.259c-.147.146-.22.338-.22.53s.073.384.22.53c1.752 1.754 6.252 6.257 6.252 6.257.145.145.336.217.527.217.191-.001.383-.074.53-.221.293-.293.294-.766.004-1.057l-4.976-4.976h14.692c.414 0 .75-.336.75-.75s-.336-.75-.75-.75h-14.692l4.978-4.979c.289-.289.287-.761-.006-1.054-.147-.147-.339-.221-.53-.221-.191-.001-.38.071-.525.215z" fill-rule="nonzero"></path></svg> </div> <span>Solutions</span> </div> <div class="solution-two-col"> <div class="solution-left"> <div class="solution-cols"> <div class="solution-fs"> <div class="solution-fs-inr"> <div class="sol-fs-title"> BY INDUSTRY </div> <div class="sol-simp-menus"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/education/" role="menuitem" target="_self">Education</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/financial-services/" role="menuitem" target="_self"> Financial Services</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/government/" role="menuitem" target="_self">Government</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/healthcare/" role="menuitem" target="_self">Healthcare</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/hotels/" role="menuitem" target="_self">Hotels</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/legal/" role="menuitem" target="_self">Legal</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/manufacturing/" role="menuitem" target="_self">Manufacturing</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-industry/retail/" role="menuitem" target="_self">Retail</a></li> </ul> </div></span> </div> </div> </div> <div class="solution-fs"> <div class="solution-fs-inr"> <div class="sol-fs-title"> BY REGULATION </div> <div class="sol-simp-menus"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/data-privacy/" role="menuitem" target="_self">Data Privacy</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/cybersecurity-maturity-model-certification/" role="menuitem" target="_self">CMMC</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/fisma/" role="menuitem" target="_self">FISMA</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/gdpr/" role="menuitem" target="_self">GDPR</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/glba/" role="menuitem" target="_self">GLBA</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/hipaa/" role="menuitem" target="_self">HIPAA</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/iso/" role="menuitem" target="_self">ISO</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/capabilities/by-mandate/sox/" role="menuitem" target="_self">SOX</a></li> </ul> </div></span> </div> </div> </div> </div> </div> <div class="solution-right"> <div class="sol-r-inr"> <div class="topic-titles"> BY TOPIC </div> <div class="topic-main-s"> <div class="topic-item"> <a href="https://www.trustwave.com/en-us/company/alliance-ecosystem/technology-partners/microsoft/"></a> <div class="topic-title"> Microsoft Security </div> <div class="topic-content"> Unlock the full power of Microsoft Security </div> </div> <div class="topic-item"> <a href="https://www.trustwave.com/capabilities/by-topic/offensive-security-solutions/"></a> <div class="topic-title"> Offensive Security </div> <div class="topic-content"> Solutions to maximize your security ROI </div> </div> <div class="topic-item"> <a href="https://www.trustwave.com/en-us/capabilities/by-topic/rapidly-secure-temporary-infrastructures/"></a> <div class="topic-title"> Rapidly Secure New Environments </div> <div class="topic-content"> Security for rapid response situations </div> </div> <div class="topic-item"> <a href="https://www.trustwave.com/en-us/capabilities/by-topic/cloud-security/"></a> <div class="topic-title"> Securing the Cloud </div> <div class="topic-content"> Safely navigate and stay protected </div> </div> <div class="topic-item"> <a href="https://www.trustwave.com/en-us/capabilities/by-topic/securing-the-iot-landscape/"></a> <div class="topic-title"> Securing the IoT Landscape </div> <div class="topic-content"> Test, monitor and secure network objects </div> </div> </div> </div> </div> </div> </div> </div> <div class="trust-section megamenuRepeat" data-id="3"> <div class="trust-sec-inr overlayclr"> <div class="back-menu-m solution-back"> <div class="arrows-q"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="#ffffff" d="m9.474 5.209s-4.501 4.505-6.254 6.259c-.147.146-.22.338-.22.53s.073.384.22.53c1.752 1.754 6.252 6.257 6.252 6.257.145.145.336.217.527.217.191-.001.383-.074.53-.221.293-.293.294-.766.004-1.057l-4.976-4.976h14.692c.414 0 .75-.336.75-.75s-.336-.75-.75-.75h-14.692l4.978-4.979c.289-.289.287-.761-.006-1.054-.147-.147-.339-.221-.53-.221-.191-.001-.38.071-.525.215z" fill-rule="nonzero"></path></svg> </div> <span>Why Trustwave</span> </div> <div class="trust-bottom-cs"> <div class="trust-col-s"> <div class="trust-cls"> <a href="/en-us/company/about-us/"></a> <div class="t-title-s"> About Us </div> <div class="t-link-s"> We reduce cyber risk and fortify organizations </div> </div> </div> <div class="trust-col-s"> <div class="trust-cls"> <a href="/en-us/company/about-us/accolades/"></a> <div class="t-title-s"> Awards and Accolades </div> <div class="t-link-s"> Recognition by analysts and media outlets </div> </div> </div> <div class="trust-col-s"> <div class="trust-cls"> <a href="/en-us/company/about-us/spiderlabs/"></a> <div class="t-title-s"> Trustwave SpiderLabs Team </div> <div class="t-link-s"> Global researchers, ethical hackers, and responders </div> </div> </div> <div class="trust-col-s"> <div class="trust-cls"> <a href="/en-us/company/about-us/trustwave-fusion-platform/"></a> <div class="t-title-s"> Trustwave Fusion Security Operations Platform </div> <div class="t-link-s"> Unprecedented security visibility and control </div> </div> </div> <div class="trust-col-s"> <div class="trust-cls"> <a href="https://www.securitycolony.com/" target="_blank" rel="noopener"></a> <div class="t-title-s"> Trustwave Security Colony </div> <div class="t-link-s"> Access to cybersecurity threat protection resources </div> </div> </div> </div> </div> </div> <div class="partner-section megamenuRepeat" data-id="4"> <div class="partner-sec-inr overlayclr"> <div class="back-menu-m solution-back"> <div class="arrows-q"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="#ffffff" d="m9.474 5.209s-4.501 4.505-6.254 6.259c-.147.146-.22.338-.22.53s.073.384.22.53c1.752 1.754 6.252 6.257 6.252 6.257.145.145.336.217.527.217.191-.001.383-.074.53-.221.293-.293.294-.766.004-1.057l-4.976-4.976h14.692c.414 0 .75-.336.75-.75s-.336-.75-.75-.75h-14.692l4.978-4.979c.289-.289.287-.761-.006-1.054-.147-.147-.339-.221-.53-.221-.191-.001-.38.071-.525.215z" fill-rule="nonzero"></path></svg> </div> <span>Partners</span> </div> <div class="partner-bottom-col"> <div class="partn-br-s"> <div class="partn-cols"> <div class="partn-clr"> <a href="https://www.trustwave.com/en-us/company/alliance-ecosystem/technology-partners/"> </a> <div class="title-s"> Technology Alliance Partners </div> <div class="content-s"> Key alliances who align and support our ecosystem of security offerings </div> </div> </div> <div class="partn-cols"> <div class="partn-clr"> <a href="https://www.trustwave.com/en-us/partnerone/"> </a> <div class="title-s"> Trustwave PartnerOne Program </div> <div class="content-s"> Join forces with Trustwave to protect against the most advance cybersecurity threats </div> </div> </div> </div> <div class="button-twoc-l"> <div class="button-left"> <div class="btn-q"> <a href="https://trustwave.ziftone.com/#/page/reg">Register </a> </div> </div> <div class="button-right"> <div class="btn-q chgbtn"> <a href="https://trustwave.ziftone.com/#/page/logged-out-home">Login </a> </div> </div> </div> </div> </div> </div> <div class="resource-section megamenuRepeat" data-id="5"> <div class="resource-sec-inr overlayclr"> <div class="back-menu-m solution-back"> <div class="arrows-q"> <svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="#ffffff" d="m9.474 5.209s-4.501 4.505-6.254 6.259c-.147.146-.22.338-.22.53s.073.384.22.53c1.752 1.754 6.252 6.257 6.252 6.257.145.145.336.217.527.217.191-.001.383-.074.53-.221.293-.293.294-.766.004-1.057l-4.976-4.976h14.692c.414 0 .75-.336.75-.75s-.336-.75-.75-.75h-14.692l4.978-4.979c.289-.289.287-.761-.006-1.054-.147-.147-.339-.221-.53-.221-.191-.001-.38.071-.525.215z" fill-rule="nonzero"></path></svg> </div> <span>Resources</span> </div> <div class="resource-sec-tr"> <div class="resource-cols"> <div class="resource-cl-inr"> <div class="resn-title"> BLOGS </div> <div class="resn-menu"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/" role="menuitem" target="_self">Trustwave Blog</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/" role="menuitem" target="_self">SpiderLabs Blog</a></li> </ul> </div></span> </div> </div> </div> <div class="resource-cols"> <div class="resource-cl-inr"> <div class="resn-title"> UPCOMING </div> <div class="resn-menu"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/upcoming/webinars/" role="menuitem" target="_self">Webinars</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/upcoming/events/" role="menuitem" target="_self">Events</a></li> </ul> </div></span> </div> </div> </div> <div class="resource-cols"> <div class="resource-cl-inr"> <div class="resn-title"> MEDIA &amp; ASSETS </div> <div class="resn-menu"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/library?resource_filter=show-documents" role="menuitem" target="_self">Document Library</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/library?resource_filter=show-videos" role="menuitem" target="_self"> Video Library</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/library?resource_filter=analyst_report" role="menuitem" target="_self">Analyst Reports</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/library/?resource_filter=webinar" role="menuitem" target="_self">Webinar Replays</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/library?resource_filter=case_study" role="menuitem" target="_self">Case Studies</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/security-resources/special-offers/" role="menuitem" target="_self">Trials &amp; Evaluations</a></li> </ul> </div></span> </div> </div> </div> <div class="resource-cols"> <div class="resource-cl-inr"> <div class="resn-title"> NOTICES </div> <div class="resn-menu"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/security-resources/security-advisories/" role="menuitem" target="_self">Security Advisories</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/security-resources/software-updates/" role="menuitem" target="_self">Software Updates</a></li> </ul> </div></span> </div> </div> </div> <div class="resource-cols"> <div class="resource-cl-inr"> <div class="resn-title"> HELP </div> <div class="resn-menu"> <span id="hs_cos_wrapper_module_16910398984436_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_16910398984436_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/contact/" role="menuitem" target="_self">Contact</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/support/" role="menuitem" target="_self">Support</a></li> </ul> </div></span> </div> </div> </div> </div> </div> </div> </div></div> <div id="main-content"> <article class="blog-details-page blog-post_details-page light-theme"> <div class="dnd-section"> <div class="row-fluid"> <div class="blog-details-header"> <div class="blog-details-header-left"> <div class="breadcrumbs"> <ul role="menu"> <li> <a href="https://www.trustwave.com/en-us/" class="blog-post_blog-link" title="Home">Home</a> </li> <li><a href="https://www.trustwave.com/en-us/resources/library/" class="blog-post_blog-link" title="Resources">Resources</a></li> <li><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog" class="blog-post_blog-link" title="SpiderLabs Blog">SpiderLabs Blog</a></li> </ul> </div> <h1>Analyzing Malware Hollow Processes</h1> </div> <div class="blog-details-header-right"> <a href="#" class="theme-changer">Change theme to light</a> <img src="https://www.trustwave.com/hs-fs/hubfs/Web/Spiders/2024/spider_01-mob.png?width=450&amp;height=250&amp;name=spider_01-mob.png" loading="eager" alt="Analyzing Malware Hollow Processes" class="hero-spider"> </div> </div> <div class="toc-content content-wrapper"> <div class="wrapper-main_content"> <div class="blog-details-metadata"> <span class="date-time"> <time datetime="2011-05-16 12:36:00">May 16, 2011</time> </span> <span class="minread">7 Minute Read</span> </div> <div class="wrapper-blog-content"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p style="font-size: 16px;">The Malware Analyst's Cookbook is a great book. In it the authors talked about an interesting technique they called 'process hollowing'.</p> <!--more--><p style="font-size: 16px;">When I read about it, I was intrigued and played around a bit with the examples from the book. Then recently on a malware analysis investigation, we ran across it in the real world. Asking around a bit, it turns out this is actually a pretty common technique in the wild.</p> <p style="font-size: 16px;">To effectively detect malware that uses process hollowing, we must first understand how this technique is used. Understanding the code patterns to look for is also crucial in order to recognize it when you see it while analyzing malware samples that use this technique.</p> <h4 style="font-size: 16px;">What is Process Hollowing?</h4> <p style="font-size: 16px;">Process hollowing is a technique used by some malware in which a legitimate process is loaded on the system solely to act as a container for hostile code. At launch, the legitimate code is deallocated and replaced with malicious code. The advantage is that this helps the process hide amongst normal processes better. If you inspect the process and its imports using conventional tools, they all look legit. The PEB is untouched, but the actual code and data of the process have been changed.</p> <p style="font-size: 16px;">What does this look like in the code (i.e. how will you recognize it)? First, the malware starts a legitimate process using <strong>CreateProcess</strong> using the <strong>CREATE_SUSPENDED</strong> option in the <strong>fdwCreate</strong> flags parameter. MSDN <a href="http://msdn.microsoft.com/en-us/library/ms682425(v=vs.85).aspx" target="_self">tells us</a> the following:</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">// This function is used to run a new program. It creates a new process // and its primary thread. The new process runs the specified executable // file.</span><br><span style="font-family: 'courier new', courier;">BOOL CreateProcess(</span><br><span style="font-family: 'courier new', courier;"> LPCWSTR pszImageName,</span><br><span style="font-family: 'courier new', courier;"> LPCWSTR pszCmdLine,</span><br><span style="font-family: 'courier new', courier;"> LPSECURITY_ATTRIBUTES psaProcess,</span><br><span style="font-family: 'courier new', courier;"> LPSECURITY_ATTRIBUTES psaThread,</span><br><span style="font-family: 'courier new', courier;"> BOOL fInheritHandles,</span><br><span style="font-family: 'courier new', courier;"> DWORD fdwCreate,</span><br><span style="font-family: 'courier new', courier;"> LPVOID pvEnvironment,</span><br><span style="font-family: 'courier new', courier;"> LPWSTR pszCurDir,</span><br><span style="font-family: 'courier new', courier;"> LPSTARTUPINFOW psiStartInfo,</span><br><span style="font-family: 'courier new', courier;"> LPPROCESS_INFORMATION pProcInfo</span><br><span style="font-family: 'courier new', courier;">);</span><br><br><span style="font-family: 'courier new', courier;">// fdwCreate</span><br><span style="font-family: 'courier new', courier;">// [in] Specifies additional flags that control the priority<br>// and the creation of the process.</span><br><span style="font-family: 'courier new', courier;">//</span><br><span style="font-family: 'courier new', courier;">// CREATE_SUSPENDED fdwCreate flag</span><br><span style="font-family: 'courier new', courier;">// The primary thread of the new process is created in a suspended state,<br>// and does not run until the ResumeThread function is called.</span></p> <p style="font-size: 16px;">The host program is now loaded but no code has been executed yet since it is started in suspended mode. The malware also has a handle to the process it started started through the pProcInfo structure passed to CreateProcess.<br><br>While the host process is suspended, the malware first unmaps (or hollows out) the legitimate code from memory in the host process. The <a href="http://msdn.microsoft.com/en-us/library/ff557711(v=vs.85).aspx" target="_self">ZwUnmapViewOfSection or NtUnmapViewOfSection</a> WIN32 API function may be used to unmap the original code:</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">// NtUnmapViewOfSection and ZwUnmapViewOfSection are two versions of<br>// the same Windows Native System Services routine.</span><br><br><span style="font-family: 'courier new', courier;">// The ZwUnmapViewOfSection routine unmaps a view of a section from <br>// the virtual address space of a subject process.</span><br><span style="font-family: 'courier new', courier;">// a view can be a whole or partial mapping of a section object in <br>// the virtual address space of a process.</span><br><span style="font-family: 'courier new', courier;">NTSTATUS ZwUnmapViewOfSection(</span><br><span style="font-family: 'courier new', courier;"> __in HANDLE ProcessHandle,</span><br><span style="font-family: 'courier new', courier;"> __in_opt PVOID BaseAddress</span><br><span style="font-family: 'courier new', courier;">);</span></p> <p style="font-size: 16px;">Because the unmap function is a kernel API function, you will often see the malware dynamically resolve it's function address at runtime as follows:</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">HMODULE handle = <a href="http://msdn.microsoft.com/en-us/library/ms683199(v=vs.85).aspx" target="_self">GetModuleHandle</a>("ntdll.dll");</span><br><br><span style="font-family: 'courier new', courier;">funcptr = <a href="http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx" target="_self">GetProcAddress</a>(handle, "NtUnmapViewOfSection"));</span><br><br><span style="font-family: 'courier new', courier;">or</span><br><br><span style="font-family: 'courier new', courier;">funcptr = <a href="http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx" target="_self">GetProcAddress</a>(handle, "ZwUnmapViewOfSection"));</span></p> <p style="font-size: 16px;">The malware then allocates memory for the new code using <a href="http://msdn.microsoft.com/en-us/library/aa366890(v=vs.85).aspx" target="_self">VirtualAllocEx</a>. It must ensure the code is marked as writeable and executable using the flProtect parameter. This is one of the giveaways that a process may contain malicious code, however as we'll see in a bit, it isn't completely reliable since the malware can change this setting when it is done filling in the hollowed process memory.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">// Reserves or commits a region of memory within the virtual address <br>// space of a specified process.</span><br><br><span style="font-family: 'courier new', courier;">LPVOID WINAPI VirtualAllocEx(</span><br><span style="font-family: 'courier new', courier;"> __in HANDLE hProcess,</span><br><span style="font-family: 'courier new', courier;"> __in_opt LPVOID lpAddress,</span><br><span style="font-family: 'courier new', courier;"> __in SIZE_T dwSize,</span><br><span style="font-family: 'courier new', courier;"> __in DWORD flAllocationType,</span><br><span style="font-family: 'courier new', courier;"> __in DWORD flProtect</span><br><span style="font-family: 'courier new', courier;">);</span><br><br><span style="font-family: 'courier new', courier;">// Memory Protection Constant PAGE_EXECUTE_READWRITE = 0x40</span><br><span style="font-family: 'courier new', courier;">// Enables execute, read-only, or read/write access to the committed <br>// region of pages.</span></p> <p style="font-size: 16px;">The malware then writes it's own new code into the hollow host process using <a href="http://msdn.microsoft.com/en-us/library/ms681674(v=vs.85).aspx" target="_self">WriteProcessMemory</a>, writing data to the memory allocated in the host process with VirtualAllocEx.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">// Writes data to an area of memory in a specified process. The entire <br>// area to be written to must be accessible or the operation fails.</span><br><br><span style="font-family: 'courier new', courier;">BOOL WriteProcessMemory(</span><br><span style="font-family: 'courier new', courier;"> HANDLE hProcess,</span><br><span style="font-family: 'courier new', courier;"> LPVOID lpBaseAddress,</span><br><span style="font-family: 'courier new', courier;"> LPVOID lpBuffer,</span><br><span style="font-family: 'courier new', courier;"> DWORD nSize,</span><br><span style="font-family: 'courier new', courier;"> LPDWORD lpNumberOfBytesWritten</span><br><span style="font-family: 'courier new', courier;">);</span></p> <p style="font-size: 16px;">If the malware author is careful, they will change the adjust code and data sections look normal with Read/Execute or Read-only protections using <a href="http://msdn.microsoft.com/en-us/library/aa366899(v=vs.85).aspx" target="_self">VirtualProtectEx</a>. Thus we can't rely solely on memory protection settings for detection as it is often easily avoided by the malware authors.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">// Changes the protection on a region of committed pages in the virtual <br>// address space of a specified process.</span><br><span style="font-family: 'courier new', courier;">BOOL WINAPI VirtualProtectEx(</span><br><span style="font-family: 'courier new', courier;"> __in HANDLE hProcess,</span><br><span style="font-family: 'courier new', courier;"> __in LPVOID lpAddress,</span><br><span style="font-family: 'courier new', courier;"> __in SIZE_T dwSize,</span><br><span style="font-family: 'courier new', courier;"> __in DWORD flNewProtect,</span><br><span style="font-family: 'courier new', courier;"> __out PDWORD lpflOldProtect</span><br><span style="font-family: 'courier new', courier;">);</span></p> <p style="font-size: 16px;">The malware adjusts the remote context (context is just a fancy way of saying, frozen register state) to point to the new code section and may perform other cleanup tasks as necessary. The <a href="http://msdn.microsoft.com/en-us/library/ms680632(v=vs.85).aspx" target="_self">SetThreadContext</a> function can be used to perform this step.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">// Sets the context for the specified thread.</span><br><span style="font-family: 'courier new', courier;">BOOL WINAPI SetThreadContext(</span><br><span style="font-family: 'courier new', courier;"> __in HANDLE hThread,</span><br><span style="font-family: 'courier new', courier;"> __in const CONTEXT *lpContext</span><br><span style="font-family: 'courier new', courier;">);</span></p> <p style="font-size: 16px;">Once everything is ready, the malware loader simply resumes the suspended process using <a href="http://msdn.microsoft.com/en-us/library/ms685086(v=vs.85).aspx" target="_self">ResumeThread</a>.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">// Decrements a thread's suspend count. When the suspend count is <br>// decremented to zero, the execution of the thread is resumed.</span><br><span style="font-family: 'courier new', courier;">DWORD WINAPI ResumeThread(</span><br><span style="font-family: 'courier new', courier;"> __in HANDLE hThread</span><br><span style="font-family: 'courier new', courier;">);</span></p> <p style="font-size: 16px;">Another common characteristic is that the malware loader will incorporate it's own PE and MZ header parsing code in order to effectively take over the role of the system EXE loader. One dead giveaway is when the code tries to match the "MZ" magic header value to confirm it is working with an exe file. This type of header parsing is common in lots of malware tricks, so it isn't necessarily an indication of this specific technique.</p> <h4 style="font-size: 16px;">Detecting Hollowed Processes With Volatility</h4> <p style="font-size: 16px;">The V<a href="https://www.volatilesystems.com/default/volatility" target="_self">olatility Framework</a> is an excellent opensource tool for volatile memory forensic analysis. The core features of the tool are pretty robust, and there exist a large number of plugins for adding even more functionality.</p> <p style="font-size: 16px;">One common technique for detecting hollowed processes is by scanning allocated memory for segments that have the RWX protection setting. As mentioned above, if the attacker forgot to fix memory protection flags with VirtualProtectEx, we can find it easily. A Volatility plugin by Michael Hale Leigh called 'malfind.py' or 'malware.py' does this as part of its scanning.<br><br>This is actually a useful general technique for detecting potentially malicious code, since certain dll injection and other techniques may be detected this way as well. As noted above, however, careful malware authors can easily avoid this by correcting protection settings after they are done writing to memory.<br><br>But, using volatility without any plugins we can dump processes to files and compare them with eachother or with their original file on the filesystem.<br><br>In the following example, we suspected that svchost.exe may be used as a host process for process hollowing in the malware we were investigating.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">emonti$ <strong>vol.py pslist -f example.dump --profile=WinXPSP3x86 |grep svchost</strong></span><br><span style="font-family: 'courier new', courier;">Volatile Systems Volatility Framework 1.4_rc1</span><span style="font-family: 'courier new', courier;"></span><br><span style="font-family: 'courier new', courier;">0x81f37428 svchost.exe 912 728 16 207 2010-11-10 22:48:22</span><br><span style="font-family: 'courier new', courier;">0x82022da0 svchost.exe 992 728 10 283 2010-11-10 22:48:22</span><br><span style="font-family: 'courier new', courier;">0x822a7da0 svchost.exe 1084 728 87 2243 2010-11-10 22:48:22</span><br><span style="font-family: 'courier new', courier;">0x82264468 svchost.exe 1132 728 5 76 2010-11-10 22:48:22</span><br><span style="font-family: 'courier new', courier;">0x82198160 svchost.exe 1188 728 13 172 2010-11-10 22:48:24</span><br><span style="font-family: 'courier new', courier;">0x82203a78 svchost.exe 1568 728 4 105 2010-11-10 22:48:33</span><span style="font-family: 'courier new', courier;"></span><br><span style="font-family: 'courier new', courier;">0x8233ad60 svchost.exe 2496 <span style="color: #ff0000;">3764</span> 5 156 <span style="color: #ff0000;">2011-05-11 22:35:38</span></span></p> <p style="font-size: 16px;">At a glance, we can see that the last svchost.exe has a different parent pid and start time from the rest, this stands out. But again, this is not always a conclusive indication of malware, nor is it a reliable method of detecting it since attackers can also take steps to modify this.<br><br>Next, we dump the processes using volatility's procexedump command. And copy in a legitimate svchost.exe from the filesystem for comparison.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">emonti$ <strong>mkdir dumps</strong></span><br><span style="font-family: 'courier new', courier;">emonti$ <strong>cp legit_files/svchost.exe dumps/</strong></span><br><br><span style="font-family: 'courier new', courier;">emonti$ <strong>volatility procexedump -f example.dump --dump-dir=dumps --pid=912,992,104,1132,1188,1568,2496 --profile=WinXPSP3x86</strong></span><br><span style="font-family: 'courier new', courier;">Volatile Systems Volatility Framework 1.4_rc1</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping svchost.exe, pid: 912 output: executable.912.exe</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping svchost.exe, pid: 992 output: executable.992.exe</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping svchost.exe, pid: 1132 output: executable.1132.exe</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping svchost.exe, pid: 1188 output: executable.1188.exe</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping svchost.exe, pid: 1568 output: executable.1568.exe</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping svchost.exe, pid: 2496 output: executable.2496.exe</span></p> <p style="font-size: 16px;">If we compare file sizes, we get further confirmation that something is wrong with pid 2496. Every other instance of svchost.exe has the same file size as the original filesystem file, but 2496 is considerably larger.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">emonti$ <strong>cd dumps/</strong></span><br><span style="font-family: 'courier new', courier;">emonti$ <strong>ls -l</strong></span><br><span style="font-family: 'courier new', courier;">total 288</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti staff 14336 May 11 18:15 executable.1132.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti staff 14336 May 11 18:15 executable.1188.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti staff 14336 May 11 18:15 executable.1568.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti staff 49152 May 11 18:15 executable.2496.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti staff 14336 May 11 18:15 executable.912.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti staff 14336 May 11 18:15 executable.992.exe</span><br><span style="font-family: 'courier new', courier;">-rwxr-xr-x 1 emonti staff 14336 May 11 17:52 svchost.exe</span></p> <h4 style="font-size: 16px;">Combining Volatility with Fuzzy Hashing</h4> <p style="font-size: 16px;">Sometimes another effective way of detecting hollowing and other process tampering is to use fuzzy hashing to compare processes in memory against other same processes, or their original file on the filesystem. The industry standard tool for <a href="http://www.forensicswiki.org/wiki/Context_Triggered_Piecewise_Hashing" target="_self">fuzzy hashing</a> is called '<a href="http://ssdeep.sourceforge.net/" target="_self">ssdeep</a>' (by Jesse Kornblum) based on a spam detection algorithm called 'spamsum' (by Andrew Tridgell).</p> <p style="font-size: 16px;">The Malware Analyst's Cookbook contains a recipe for a volatilty plugin to do this. But here's a quick way to do the same thing just using the command-line tools.</p> <p style="font-size: 16px;">First lets see what a normal, legitimate process process looks like when compared to it's original file on disk.</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">emonti$ <strong>volatility pslist -f ../example.dump</strong></span><br><span style="font-family: 'courier new', courier;">Volatile Systems Volatility Framework 1.4_rc1</span><br><span style="font-family: 'courier new', courier;"> Offset(V) Name PID PPID Thds Hnds Time</span><br><span style="font-family: 'courier new', courier;">---------- -------------------- ------ ------ ------ ------ -------------------</span><br><span style="font-family: 'courier new', courier;">...</span><br><span style="font-family: 'courier new', courier;">0x8223fc98 cmd.exe 560 500 1 80 2011-05-11 21:22:00</span><br><span style="font-family: 'courier new', courier;">...</span><br><br><span style="font-family: 'courier new', courier;">emonti$ <strong>volatility procexedump -f ../example.dump --pid=560 --dump-dir=.</strong></span><br><span style="font-family: 'courier new', courier;">Volatile Systems Volatility Framework 1.4_rc1</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping cmd.exe, pid: 560 output: executable.560.exe</span><br><br><span style="font-family: 'courier new', courier;">emonti$ cp ../legit_files/cmd.exe .</span><br><span style="font-family: 'courier new', courier;">emonti$ ls -l executable.560.exe cmd.exe</span><br><span style="font-family: 'courier new', courier;">-rwxr-xr-x 1 emonti TRUSTWAVE\domain users 389120 Apr 14 2008 cmd.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti TRUSTWAVE\domain users 389120 May 11 18:24 executable.560.exe</span><br><br><span style="font-family: 'courier new', courier;">emonti$ <strong>ssdeep -d -a cmd.exe executable.560.exe</strong></span><br><span style="font-family: 'courier new', courier;">/Users/emonti/dumps/executable.560.exe matches /Users/emonti/dumps/cmd.exe (65)</span></p> <p style="font-size: 16px;">The fuzzy hash score is 65, indicating that a considerable amount of common content in both files.<br><br>Contrast that with a fake instance of cmd.exe:</p> <p style="padding-left: 30px; font-size: 16px;"><span style="font-family: 'courier new', courier;">emonti$ volatility pslist -f ../example.dump</span><br><span style="font-family: 'courier new', courier;">Volatile Systems Volatility Framework 1.4_rc1</span><br><span style="font-family: 'courier new', courier;">Offset(V) Name PID PPID Thds Hnds Time</span><br><span style="font-family: 'courier new', courier;">---------- -------------------- ------ ------ ------ ------ -------------------</span><br><span style="font-family: 'courier new', courier;">...</span><br><span style="font-family: 'courier new', courier;">0x822dca08 cmd.exe 264 500 4 69 2010-11-10 23:07:23</span><br><span style="font-family: 'courier new', courier;">...</span><br><br><span style="font-family: 'courier new', courier;">emonti$ volatility procexedump -f ../example.dump --pid=264 --dump-dir=.</span><br><span style="font-family: 'courier new', courier;">Volatile Systems Volatility Framework 1.4_rc1</span><br><span style="font-family: 'courier new', courier;">************************************************************************</span><br><span style="font-family: 'courier new', courier;">Dumping cmd.exe, pid: 264 output: executable.264.exe</span><br><br><br><span style="font-family: 'courier new', courier;">emonti$ <strong>ls -l cmd.exe executable.560.exe executable.264.exe</strong></span><br><span style="font-family: 'courier new', courier;">-rwxr-xr-x 1 emonti TRUSTWAVE\domain users 389120 Apr 14 2008 cmd.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti TRUSTWAVE\domain users 15360 May 11 18:32 executable.264.exe</span><br><span style="font-family: 'courier new', courier;">-rw-r--r-- 1 emonti TRUSTWAVE\domain users 389120 May 11 18:24 executable.560.exe</span><br><br><span style="font-family: 'courier new', courier;">emonti$ <strong>ssdeep -d -a cmd.exe executable.560.exe executable.264.exe</strong></span><br><span style="font-family: 'courier new', courier;">executable.560.exe matches cmd.exe (65)</span><br><span style="font-family: 'courier new', courier;">executable.264.exe matches cmd.exe (0)</span><br><span style="font-family: 'courier new', courier;">executable.264.exe matches executable.560.exe (0)</span></p> <p style="font-size: 16px;">The suspicious cmd.exe has a different file size as well as a 0 ssdeep score when compared to the legitimate filesystem file, or another instance of cmd.exe in memory.<br><br>Obviously, it is better to use the file from the filesystem, or the same file from another known-good system if possible. We can't necessarily count on any of the processes or files on an infected system being legitimate.</p> <h4 style="font-size: 16px;">Resources and More Info</h4> <ul style="font-size: 16px;"> <li>Volatility is available from <a href="https://www.volatilesystems.com/" target="_self">https://www.volatilesystems.com/</a></li> <li>ssdeep is available from <a href="http://ssdeep.sourceforge.net/" target="_self">http://ssdeep.sourceforge.net/</a></li> <li>An excellent source for obtaining legitimate windows files is <a href="http://filelab.com" target="_self">http://filelab.com </a>where they host multiple versions of common windows executables and DLLs available for download, and provide a robust search engine for quickly finding them.</li> <li>A good writeup on process hollowing including a PoC code example <a href="http://www.codereversing.com/blog/?p=65" target="_self">http://www.codereversing.com/blog/?p=65</a></li> </ul></span> </div> </div> <aside class="wrapper-side_content"> <div class="side_content-sticky"> <div class="blog-post-social-share"> <div id="hs_cos_wrapper_module_172236034181117" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div id="module_172236034181117" class="module-share-wrapper default"> <div class="share-text"> Share: </div> <!-- HTML to show when COPY LINK checked --> <div class="share-btn copy-link"> <a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/" rel="noopener">Copy Link</a> <span class="copied-link">Link Copied</span> </div> <!-- HTML to show when LINKEDIN checked --> <div class="share-btn share-linkedin"> <span style="display: none">v2</span> <a href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/" target="_blank" rel="noopener">LinkedIn</a> </div> <!-- HTML to show when X-TWITTER checked --> <div class="share-btn share-x"> <a href="https://x.com/intent/post?url=&amp;text=https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/&amp;via=Trustwave" target="_blank" rel="noopener">X</a> </div> <!-- HTML to show when FACEBOOK checked --> <div class="share-btn share-facebook"> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/" target="_blank" rel="noopener">Facebook</a> </div> <!-- HTML to show when RSS checked --> </div> </div> </div> <div class="blog-post-form hide-mobile"> <div id="hs_cos_wrapper_module_17228820340396" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-rich_text" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><span id="hs_cos_wrapper_module_17228820340396_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="widget" data-hs-cos-type="rich_text"><h4>Stay Informed</h4><p>Sign up to receive the latest security news and trends straight to your inbox from Trustwave.</p></span></div> <div id="hs_cos_wrapper_form" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <span id="hs_cos_wrapper_form_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"> <div id="hs_form_target_form"></div> </span> </div> </div> <div class="show-mobile mini-post-form"> <div id="promotional-interrupter-module_17228780589192" class="promotional-interrupter text_interrupter"> <div class="text_interrupter_content"> <p>Stay Informed:</p> </div> <a class="btn btn-solid btn-secondary text-white" href="#popupSubscribe"> Subscribe </a> </div> <div id="hs_cos_wrapper_module_17228626314893" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="popup-wrapper"></div> <div id="popupSubscribe" class=" popup popup-zoom mfp-hide shadow-xl rounded p-12 mb:p-8 bg-white"> <div class="popup-content"> <h4>Stay Informed</h4><p>Sign up to receive the latest security news and trends straight to your inbox from Trustwave.</p> </div> <div class="mt-8"> <span id="hs_cos_wrapper_module_17228626314893_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_18690061_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3> <div id="hs_form_target_form_18690061"></div> </span> </div> </div> </div> </div> <div class="blog-post-featured-resources"> <div class="module-blog-featured-resources"> <div class="blog-featured-resource"> <h4 class="eyebrow_label">RESEARCH REPORT</h4> <a href="https://www.trustwave.com/en-us/resources/library/documents/facebook-malvertising-epidemic-unraveling-a-persistent-threat-sys01-part-2/" class="resource_title "> Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01 </a> </div> <div class="blog-featured-resource"> <h4 class="eyebrow_label">RESEARCH REPORT</h4> <a href="https://www.trustwave.com/en-us/resources/library/documents/professional-services-threat-briefing-and-mitigation-strategies/" class="resource_title "> 2024 Professional Services Threat Intelligence Brief </a> </div> </div> </div> </div> </aside> </div> <div class="about-content"> <div class="about-authors"> <div class="trustwave-bio"> <h4>ABOUT TRUSTWAVE</h4> <p>Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more <a href="https://www.trustwave.com/en-us/company/about-us/">about us</a>.</p> </div> </div> <div class="about-tags"> </div> </div> <div class="latest-blog-post"> <div class="mb-16"> <h2>Latest Intelligence</h2> </div> <div class="latest-blog-content flex"> <div class="blog-entry flex-1"> <a href="/en-us/resources/blogs/spiderlabs-blog/lessons-from-a-honeypot-with-us-citizens-data/" class="post-title"> <span class="latest-post-image"></span> <span class="post-title-inner">Lessons from a Honeypot with US Citizens’ Data</span> </a> </div> <div class="blog-entry flex-1"> <a href="/en-us/resources/blogs/spiderlabs-blog/2024-trustwave-risk-radar-report-cyber-threats-to-the-retail-sector/" class="post-title"> <span class="latest-post-image"></span> <span class="post-title-inner">2024 Trustwave Risk Radar Report: Cyber Threats to the Retail Sector</span> </a> </div> <div class="blog-entry flex-1"> <a href="/en-us/resources/blogs/spiderlabs-blog/hooked-by-the-call-a-deep-dive-into-the-tricks-used-in-callback-phishing-emails/" class="post-title"> <span class="latest-post-image"></span> <span class="post-title-inner">Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails</span> </a> </div> </div> <div class="related-offerings"> <div id="hs_cos_wrapper_module_17225404242263" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <!-- HTML to show when checked --> <div id="module_17225404242263" class="related-offerings"> <h3>Related Offerings</h3> <ul> <li> <a class="btn-m btn btn-outline btn-white btn-outline-1 text-dark fill-dark btn-icon-back" href="https://www.trustwave.com/en-us/services/penetration-testing/"> <div id="hs_cos_wrapper_module_17225404242263_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_inline_text" style="" data-hs-cos-general-type="widget" data-hs-cos-type="inline_text" data-hs-cos-field="text_cta">Penetration Testing</div> </a> </li> <li> <a class="btn-m btn btn-outline btn-white btn-outline-1 text-dark fill-dark btn-icon-back" href="https://www.trustwave.com/en-us/services/consulting-and-professional-services/digital-forensics-and-incident-response/"> <div id="hs_cos_wrapper_module_17225404242263_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_inline_text" style="" data-hs-cos-general-type="widget" data-hs-cos-type="inline_text" data-hs-cos-field="text_cta">Digital Forensics &amp; Incident Response</div> </a> </li> <li> <a class="btn-m btn btn-outline btn-white btn-outline-1 text-dark fill-dark btn-icon-back" href="https://www.trustwave.com/en-us/services/threat-intelligence-as-a-service/"> <div id="hs_cos_wrapper_module_17225404242263_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_inline_text" style="" data-hs-cos-general-type="widget" data-hs-cos-type="inline_text" data-hs-cos-field="text_cta">Threat Intelligence as a Service</div> </a> </li> <li> <a class="btn-m btn btn-outline btn-white btn-outline-1 text-dark fill-dark btn-icon-back" href="https://www.trustwave.com/en-us/services/threat-hunting/"> <div id="hs_cos_wrapper_module_17225404242263_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_inline_text" style="" data-hs-cos-general-type="widget" data-hs-cos-type="inline_text" data-hs-cos-field="text_cta">Threat Hunting</div> </a> </li> </ul> </div> </div> </div> </div> </div> </div> <div class="minified-final-plea dnd-section"> <div class="row-fluid"> <div id="hs_cos_wrapper_module_17228780589192" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div id="promotional-interrupter-module_17228780589192" class="promotional-interrupter text_interrupter"> <div class="text_interrupter_content"> <h4>Discover how our specialists can tailor a security program to fit the needs of <br>your organization.</h4> </div> <a class="btn btn-solid btn-secondary text-white" href="#popupBlog"> Request a Demo </a> </div></div> <div id="hs_cos_wrapper_module_17228626314893" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="popup-wrapper"></div> <div id="popupBlog" class=" popup popup-zoom mfp-hide shadow-xl rounded p-12 mb:p-8 bg-white"> <div class="popup-content"> </div> <div class="mt-8"> <span id="hs_cos_wrapper_module_17228626314893_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_964237733_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3> <div id="hs_form_target_form_964237733"></div> </span> </div> </div> </div> </div> </div> </article> </div> <div id="hs_cos_wrapper_module_169103980660822" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="footer-section" id="module_169103980660822"> <div class="container"> <div class="footer-sec-inr"> <div class="footer-box"> <div class="ls-footer"> <div class="ls-footer-inr"> <div class="ls-title"> <div class="ls-title-inr"> <h2> Stay Informed </h2> </div> </div> <div class="footer-content-group"> <div class="footer-form-head"> <h5> Sign up to receive the latest security news and trends straight to your inbox from Trustwave. </h5> </div> <div class="footer-form"> <span id="hs_cos_wrapper_module_169103980660822_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_553578567_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3> <div id="hs_form_target_form_553578567"></div> </span> </div> </div> </div> </div> <div class="rs-footer"> <div class="rs-footer-inr"> <div class="menu-box"> <div class="menu-box-inr"> <div class="menu-col"> <span id="hs_cos_wrapper_module_169103980660822_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_169103980660822_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/about-us/leadership/" role="menuitem" target="_self">Leadership Team</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/about-us/our-history/" role="menuitem" target="_self">Our History</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/newsroom/news/" role="menuitem" target="_self">News Releases</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/newsroom/media/" role="menuitem" target="_self">Media Coverage</a></li> </ul> </div></span> </div> <div class="menu-col"> <span id="hs_cos_wrapper_module_169103980660822_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_169103980660822_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/careers/" role="menuitem" target="_self">Careers</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/global-locations/" role="menuitem" target="_self">Global Locations</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/about-us/accolades/" role="menuitem" target="_self">Awards &amp; Accolades</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/security-resources/special-offers/" role="menuitem" target="_self">Trials &amp; Evaluations</a></li> </ul> </div></span> </div> <div class="menu-col"> <span id="hs_cos_wrapper_module_169103980660822_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_169103980660822_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/contact/" role="menuitem" target="_self">Contact</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/company/support/" role="menuitem" target="_self">Support</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/security-resources/security-advisories/" role="menuitem" target="_self">Security Advisories</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/resources/security-resources/software-updates/" role="menuitem" target="_self">Software Updates</a></li> </ul> </div></span> </div> </div> </div> <div class="social-box"> <ul> <li> <a href="https://www.linkedin.com/company/trustwave" target="_blank" rel="noopener"><svg style="max-width: 24px; max-height: 20px;" width="1200" height="1227" viewbox="0 0 1200 1227" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M714.163 519.284L1160.89 0H1055.03L667.137 450.887L357.328 0H0L468.492 681.821L0 1226.37H105.866L515.491 750.218L842.672 1226.37H1200L714.137 519.284H714.163ZM569.165 687.828L521.697 619.934L144.011 79.6944H306.615L611.412 515.685L658.88 583.579L1055.08 1150.3H892.476L569.165 687.854V687.828Z" fill="white"></path> </svg> </a> </li> <li> <a href="https://twitter.com/Trustwave" target="_blank" rel="noopener"><svg style="max-width: 24px; max-height: 20px;" width="1200" height="1227" viewbox="0 0 1200 1227" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M714.163 519.284L1160.89 0H1055.03L667.137 450.887L357.328 0H0L468.492 681.821L0 1226.37H105.866L515.491 750.218L842.672 1226.37H1200L714.137 519.284H714.163ZM569.165 687.828L521.697 619.934L144.011 79.6944H306.615L611.412 515.685L658.88 583.579L1055.08 1150.3H892.476L569.165 687.854V687.828Z" fill="white"></path> </svg> </a> </li> <li> <a href="https://www.youtube.com/channel/UC2CCqdrAxD9-Fv83NOdjhqA" target="_blank" rel="noopener"><svg style="max-width: 24px; max-height: 20px;" width="1200" height="1227" viewbox="0 0 1200 1227" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M714.163 519.284L1160.89 0H1055.03L667.137 450.887L357.328 0H0L468.492 681.821L0 1226.37H105.866L515.491 750.218L842.672 1226.37H1200L714.137 519.284H714.163ZM569.165 687.828L521.697 619.934L144.011 79.6944H306.615L611.412 515.685L658.88 583.579L1055.08 1150.3H892.476L569.165 687.854V687.828Z" fill="white"></path> </svg> </a> </li> </ul> </div> <div class="footer-bottom"> <div class="footer-bottom-inr"> <div class="ls-bottom"> <div class="bottom-menu"> <span id="hs_cos_wrapper_module_169103980660822_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_simple_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="simple_menu"><div id="hs_menu_wrapper_module_169103980660822_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="" data-menu-id="" aria-label="Navigation Menu"> <ul role="menu"> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/legal-documents/" role="menuitem" target="_self">Legal</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/legal-documents/terms-of-use/" role="menuitem" target="_self">Terms of Use</a></li> <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.trustwave.com/en-us/legal-documents/privacy-policy/" role="menuitem" target="_self">Privacy Policy</a></li> </ul> </div></span> </div> </div> <div class="cr-footer"> <div class="footer-copyright"> <p>Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.</p> <input id="hippowiz-ass-injected" type="hidden" value="true"><input id="hvmessage-toextension-listener" type="hidden" value="none"> </div> </div> </div> </div> </div> </div> <!--MOBILE CTA BUTTON--> <div id="mobile-cta-button" class="req-demo-mob" style="position:fixed;left:0;display:block"> </div> <!--END MOBILE CTA BUTTON--> <!--POPUP CONTAINER--> <div class="mobile-cta mfp-hide text-base heading-default text-left inherit popup popup-zoom shadow-xl rounded p-12 mb:p-8 bg-white"> <div id="mobile-cta-popup"></div> </div> <!--END POPUP CONTAINER--> </div> </div> </div> </div> <div class="pagedebug" style="display: none;">not match: en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/</div> <!-- <span id="hs_cos_wrapper_module_169103980660822_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form" ><h3 id="hs_cos_wrapper_form_308797919_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3> <div id='hs_form_target_form_308797919'></div> </span> --> </div> </div> <script src="/hs/hsstatic/jquery-libs/static-1.4/jquery/jquery-1.11.2.js"></script> <script src="/hs/hsstatic/jquery-libs/static-1.4/jquery-migrate/jquery-migrate-1.2.1.js"></script> <script>hsjQuery = window['jQuery'];</script> <!-- HubSpot performance collection script --> <script defer src="/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js"></script> <script defer src="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/template_assets/81597448358/1727892390921/Trustwave_Theme_by_CC/js/plugins/plugins.min.js"></script> <script defer src="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/template_assets/81597439004/1727892391697/Trustwave_Theme_by_CC/js/main.min.js"></script> <script defer src="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/template_assets/82153728608/1732208595523/Trustwave_Theme_by_CC/child.min.js"></script> <script> var hsVars = hsVars || {}; hsVars['language'] = 'en-us'; </script> <script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script> <script src="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/128102279083/1729705713034/module_128102279083_Global-Header.min.js"></script> <!--[if lte IE 8]> <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script> <![endif]--> <script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script> <script data-hs-allowed="true"> var options = { portalId: '21158977', formId: '92358282-9e9e-4fe6-a21f-c30c1e55336d', formInstanceId: '5868', pageId: '147572829488', region: 'na1', pageName: "Analyzing Malware Hollow Processes", inlineMessage: "<p style=\"text-align: center;\"><strong>Thank You<\/strong><\/p>\n<p style=\"text-align: center;\"><img style=\"height: auto; max-width: 100%; width: 258px;\" src=\"https:\/\/21158977.fs1.hubspotusercontent-na1.net\/hubfs\/21158977\/Red%20Line.png\" alt=\"Red Line\" loading=\"lazy\" width=\"258\" height=\"22\"><\/p>\n<p style=\"text-align: center;\">Browse our latest <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/trustwave-blog\/\" rel=\"noopener\">blogs<\/a><\/span> or visit our <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/\" rel=\"noopener\">Resource Library<\/a><\/span>.<\/p>", rawInlineMessage: "<p style=\"text-align: center;\"><strong>Thank You<\/strong><\/p>\n<p style=\"text-align: center;\"><img style=\"height: auto; max-width: 100%; width: 258px;\" src=\"https:\/\/21158977.fs1.hubspotusercontent-na1.net\/hubfs\/21158977\/Red%20Line.png\" alt=\"Red Line\" loading=\"lazy\" width=\"258\" height=\"22\"><\/p>\n<p style=\"text-align: center;\">Browse our latest <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/trustwave-blog\/\" rel=\"noopener\">blogs<\/a><\/span> or visit our <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/\" rel=\"noopener\">Resource Library<\/a><\/span>.<\/p>", hsFormKey: "6d2d040bfe0bd12c6923e45fd6160fc0", css: '', target: '#hs_form_target_form_677305598', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <script async> $('.share-btn.copy-link a').on('click', function(e) { e.preventDefault(); e.stopPropagation(); var $tempInput = $('<input>'), $this = $(this); $('body').append($tempInput); $tempInput.val(window.location.href).select(); document.execCommand('copy'); $tempInput.remove(); $this.parent().addClass('copy-indicator'); setTimeout(function(e) { $this.parent().removeClass('copy-indicator'); }, 2000); }); </script> <script data-hs-allowed="true"> var options = { portalId: '21158977', formId: '68741a11-8e56-4f23-ba7f-b2307e77714c', formInstanceId: '6181', pageId: '147572829488', region: 'na1', pageName: "Analyzing Malware Hollow Processes", inlineMessage: "Thank you for your email! You will soon receive the Trustwave newsletter", rawInlineMessage: "Thank you for your email! You will soon receive the Trustwave newsletter", hsFormKey: "31fd1a4642cd491425cfc9f15e12dc90", css: '', target: '#hs_form_target_form', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <script data-hs-allowed="true"> var options = { portalId: '21158977', formId: '68741a11-8e56-4f23-ba7f-b2307e77714c', formInstanceId: '3580', pageId: '147572829488', region: 'na1', pageName: "Analyzing Malware Hollow Processes", inlineMessage: "<p>Thank you for your email! You will soon receive the Trustwave newsletter<\/p>", rawInlineMessage: "<p>Thank you for your email! You will soon receive the Trustwave newsletter<\/p>", hsFormKey: "05293367cb6755dc01dac9cfdcea5d1f", css: '', target: '#hs_form_target_form_18690061', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <script src="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/174286900499/1732208583282/module_174286900499_blog-featured-resources.min.js"></script> <script data-hs-allowed="true"> var options = { portalId: '21158977', formId: 'be28fb83-5e9f-4da9-8132-5ee9008b9f31', formInstanceId: '9147', pageId: '147572829488', region: 'na1', pageName: "Analyzing Malware Hollow Processes", inlineMessage: "<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\"><strong>Thank You<\/strong><\/p>\n<p style=\"text-align: center;\">One of our sales specialists will be in touch with you shortly.<\/p>\n<p style=\"text-align: center;\"><img style=\"height: auto; max-width: 100%; width: 258px;\" src=\"https:\/\/21158977.fs1.hubspotusercontent-na1.net\/hubfs\/21158977\/Red%20Line%20Transparent.png\" alt=\"Red Line Transparent\" loading=\"lazy\" width=\"258\" height=\"22\"><\/p>\n<p style=\"text-align: center;\">Browse our latest <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/trustwave-blog\" rel=\"noopener\">blogs<\/a><\/span> or visit our <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/\" rel=\"noopener\">Resource Library<\/a><\/span>.<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>", rawInlineMessage: "<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\"><strong>Thank You<\/strong><\/p>\n<p style=\"text-align: center;\">One of our sales specialists will be in touch with you shortly.<\/p>\n<p style=\"text-align: center;\"><img style=\"height: auto; max-width: 100%; width: 258px;\" src=\"https:\/\/21158977.fs1.hubspotusercontent-na1.net\/hubfs\/21158977\/Red%20Line%20Transparent.png\" alt=\"Red Line Transparent\" loading=\"lazy\" width=\"258\" height=\"22\"><\/p>\n<p style=\"text-align: center;\">Browse our latest <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/trustwave-blog\" rel=\"noopener\">blogs<\/a><\/span> or visit our <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/\" rel=\"noopener\">Resource Library<\/a><\/span>.<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>", hsFormKey: "67832cb5aa77be1666834de13e9ed533", css: '', target: '#hs_form_target_form_964237733', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <script> // Function to set a session cookie function setSessionCookie(name, value) { document.cookie = name + "=" + value + "; path=/; SameSite=Lax"; } // Function to get a cookie by name function getCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for (var i = 0; i < ca.length; i++) { var c = ca[i].trim(); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); } return null; } $(document).ready(function () { // Function to switch themes function changeTheme(theme) { if (theme === 'dark') { $('body').removeClass('light-theme header-fixed').addClass('dark-theme'); setSessionCookie('theme', 'dark'); } else if (theme === 'light') { $('body').removeClass('dark-theme').addClass('light-theme header-fixed'); setSessionCookie('theme', 'light'); } } // Apply saved theme on page load var savedTheme = getCookie('theme'); if (savedTheme) { changeTheme(savedTheme); } // Handle theme change on button click $('a.theme-changer').on('click', function (e) { e.preventDefault(); if ($('body').hasClass('dark-theme')) { changeTheme('light'); } else if ($('body').hasClass('light-theme')) { changeTheme('dark'); } }); // Remove the 'hidden' class to display the content $('article.blog-details-page').removeClass('elem-hidden'); if ($('body').hasClass('light-theme')) { $('body').addClass('blog-detail-template theme-transition'); } else { $('body').addClass('dark-theme blog-detail-template theme-transition'); } }); </script> <script> $(document).ready(function() { // Check if it's a desktop device const isDesktop = window.matchMedia("(min-width: 1024px)").matches; if (isDesktop) { // Desktop: Set up sticky element const $stickyElement = $('.side_content-sticky'); $stickyElement.stick_in_parent({ offset_top: 135, recalc_every: 100 }); function checkStuck() { const style = window.getComputedStyle($stickyElement[0]); if (style.position === 'static') { $stickyElement.removeClass('stuck_elem'); } else { $stickyElement.addClass('stuck_elem'); } } // Optimized scroll listener let ticking = false; $(window).on('scroll', function() { if (!ticking) { window.requestAnimationFrame(function() { checkStuck(); ticking = false; }); ticking = true; } }); } else { // Mobile: Reorganize elements $('.blog-details-metadata').insertBefore('.blog-post-social-share'); } }); </script> <script defer src="https://www.trustwave.com/hs-fs/hub/21158977/hub_generated/module_assets/128101228672/1730829012405/module_128101228672_Global-Footer.min.js"></script> <script data-hs-allowed="true"> var options = { portalId: '21158977', formId: '68741a11-8e56-4f23-ba7f-b2307e77714c', formInstanceId: '9177', pageId: '147572829488', region: 'na1', pageName: "Analyzing Malware Hollow Processes", inlineMessage: "<p>Thank you for your email! You will soon receive the Trustwave newsletter<\/p>", rawInlineMessage: "<p>Thank you for your email! You will soon receive the Trustwave newsletter<\/p>", hsFormKey: "606e09ee1adfad8f642f409698022477", css: '', target: '#hs_form_target_form_553578567', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <script> $(document).ready(function() { let windowLocation = window.location.pathname; let contactPageUrls = [ '/en-us/company/contact/', '/en-us/company/global-locations/', '/en-us/company/support/', '/en-us/company/contact/government-support/', '/en-us/company/contact/security-breach/', '/en-us/company/contact/government-security-breach/' ]; let formID = contactPageUrls.includes(windowLocation) ? '361db4f3-34d0-484c-9d02-f28084e99b92' : '0ba582d8-a14e-4ce6-9ec3-def133446115'; if (window.matchMedia('(max-width: 768px)').matches) { hbspt.forms.create({ portalId: "21158977", formId: formID, target: "#mobile-cta-popup" }); } }); </script> <script data-hs-allowed="true"> var options = { portalId: '21158977', formId: '0ba582d8-a14e-4ce6-9ec3-def133446115', formInstanceId: '845', pageId: '147572829488', region: 'na1', pageName: "Analyzing Malware Hollow Processes", inlineMessage: "<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\"><strong>Thank You<\/strong><\/p>\n<p style=\"text-align: center;\">One of our sales specialists will be in touch with you shortly.&nbsp;<\/p>\n<p style=\"text-align: center;\"><img style=\"height: auto; max-width: 100%; width: 258px;\" src=\"https:\/\/21158977.fs1.hubspotusercontent-na1.net\/hubfs\/21158977\/Red%20Line.png\" alt=\"Red Line\" loading=\"lazy\" width=\"258\" height=\"22\"><\/p>\n<p style=\"text-align: center;\">Browse our latest <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/trustwave-blog\/\" rel=\"noopener\">blogs<\/a><\/span> or visit our <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/\" rel=\"noopener\">Resource Library<\/a><\/span>.<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>", rawInlineMessage: "<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\"><strong>Thank You<\/strong><\/p>\n<p style=\"text-align: center;\">One of our sales specialists will be in touch with you shortly.&nbsp;<\/p>\n<p style=\"text-align: center;\"><img style=\"height: auto; max-width: 100%; width: 258px;\" src=\"https:\/\/21158977.fs1.hubspotusercontent-na1.net\/hubfs\/21158977\/Red%20Line.png\" alt=\"Red Line\" loading=\"lazy\" width=\"258\" height=\"22\"><\/p>\n<p style=\"text-align: center;\">Browse our latest <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/trustwave-blog\/\" rel=\"noopener\">blogs<\/a><\/span> or visit our <span style=\"color: #0096b3;\"><a style=\"color: #0096b3;\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/library\/\" rel=\"noopener\">Resource Library<\/a><\/span>.<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>\n<p style=\"text-align: center;\">&nbsp;<\/p>", hsFormKey: "8b509802cf076540e1eb3fc87d539317", css: '', target: '#hs_form_target_form_308797919', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <!-- Start of HubSpot Analytics Code --> <script type="text/javascript"> var _hsq = _hsq || []; _hsq.push(["setContentType", "blog-post"]); _hsq.push(["setCanonicalUrl", "https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/analyzing-malware-hollow-processes\/"]); _hsq.push(["setPageId", "147572829488"]); _hsq.push(["setContentMetadata", { "contentPageId": 147572829488, "legacyPageId": "147572829488", "contentFolderId": null, "contentGroupId": 123670301864, "abTestId": null, "languageVariantId": 147572829488, "languageCode": "en-us", }]); </script> <script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/21158977.js"></script> <!-- End of HubSpot Analytics Code --> <script type="text/javascript"> var hsVars = { render_id: "b8728aa2-2b1a-4be6-95d8-6ebd7e58f3f7", ticks: 1732371945942, page_id: 147572829488, content_group_id: 123670301864, portal_id: 21158977, app_hs_base_url: "https://app.hubspot.com", cp_hs_base_url: "https://cp.hubspot.com", language: "en-us", analytics_page_type: "blog-post", scp_content_type: "", analytics_page_id: "147572829488", category_id: 3, folder_id: 0, is_hubspot_user: false } </script> <script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.354/js/index.js"></script> <script> // Function to erase the cookie: function eraseCookie(name, path = '/', domain = '.trustwave.com') { document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=${path}; domain=${domain};`; } // Clear the cookie that hides the welcome message from Chat eraseCookie('hs-messages-hide-welcome-message'); </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> </body></html>