Execution of the malicious code is masked under a legitimate process.
Execution of the malicious code is masked under a legitimate process.
Note: I had to change ‘original’ source code to compile and execute, you can find both of them in this repository.
Line #28 -> hollowed out:
CreateProcessA(NULL, (LPSTR)"c:\\windows\\syswow64\\notepad.exe", NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);
Line #41 -> executed inside the hollowed process:
HANDLE sourceFile = CreateFileA("C:\\windows\\syswow64\\calc.exe", GENERIC_READ, NULL, NULL, OPEN_ALWAYS, NULL, NULL);
cmd.exe /c %TMP%\ProcessHollowing.exe && timeout 5 && tasklist /svc | findstr /i calculator"