I’d like to begin this by mentioning that this technique is also being referred to as Process Hallowing at multiple places on the internet, which is incorrect. If you look at the dictionary definition of hallow, it has nothing to do with what this technique is about. My best guess is that someone somewhere long back mistyped hollowing as hallowing and it got picked up by other people. If you have information that counters this, please feel free to comment below.

Have you ever replaced the contents of a sugar box with salt, just to prank your mother? If your mother fell for this prank, congratulations (or not) you just performed process hollowing in the physical world. By replacing the contents of the sugar box with salt, you leveraged the process of making tea (or anything else that uses sugar) to achieve your nefarious objective, to make everyone drink a salty tea.

This is how process hollowing works in digital world as well. When a red team operator replaces the content of a trusted and genuine process with the content of their choosing (i.e. malicious code), they can perform all sorts of actions on the target host in the context of that trusted and genuine process. This is known as Process Hollowing and it is a process injection technique.

Through this technique any malicious activity goes undetected, at least in theory. Today, host-based security solutions have advanced enough to detect this technique.

Red Team Notes
In technical terms, process hollowing is when a bad program takes over a good program. The red team operator starts a normal program but secretly "hollows" it out (removes its real code) and fills it with their bad program code. From the outside, it still looks like the trusted application, but inside, it’s the malicious code doing bad things, like stealing your data or installing more harmful stuff.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

Examples of real-world cyber attacks where this technique was used include Stuxnet, Emotet and Lokibot.

If you want to dive deep into the technical details of how process hollowing works, different process hollowing techniques and how it can be detected, below is the recording of a presentation, What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection by Monnappa K A, presented at BlackHat Asia 2017.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.