Confuser.Protections.HoLLy icon indicating copy to clipboard operation
Confuser.Protections.HoLLy copied to clipboard

Published 20 hours ago verified publisher icon holly-hacker

Process hollowing

Open holly-hacker opened this issue 6 years ago • 4 comments

I've seen this in practice before. Hollowing an external or the own process would be a neat packer. For more see this.

EDIT: This seems to be called RunPE.

holly-hacker avatar Mar 08 '18 13:03 holly-hacker

See this crackme for a practical implementation.

holly-hacker avatar Mar 08 '18 13:03 holly-hacker

while a neat concept, it's very easy to dump so it wouldn't be much of a protection. Not to mention it would be flagged by any half-decent anti malware software, as it's often used to disguise malware.

roachadam avatar Oct 24 '18 02:10 roachadam

Any packer can easily be dumped, there is separate protection for that, and it's true that this would possible be detected by anti-malware software, but you run that risk regardless when you obfuscate your software.

This wouldn't be very practical for most applications, but it just seems like a fun thing to implement nonetheless.

holly-hacker avatar Oct 24 '18 06:10 holly-hacker

Process Hallowing is useless.

owersite avatar Nov 28 '20 21:11 owersite