ntUnmapViewOfSection vs dll injection approach

Ask your beginner questions here.
Post Reply
DMEW
Posts: 15
Joined: Mon May 04, 2015 7:39 pm

ntUnmapViewOfSection vs dll injection approach

Post by DMEW » Sun Aug 21, 2016 6:16 pm

Is there any special reason why malware sometimes opts for process hollowing vs injection? They seem to achieve the same result, yet dll injection with createRemoteThread is much easier to implement and maintains the original process' code which may help hide it more. Whats the benefit?

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: ntUnmapViewOfSection vs dll injection approach

Post by EP_X0FF » Mon Aug 22, 2016 11:03 am

Have no idea what is the "hollowing" you refering. Idiotic term from "security experts"?
Ring0 - the source of inspiration

waffles2.0
Posts: 28
Joined: Mon Aug 01, 2016 9:49 am

Re: ntUnmapViewOfSection vs dll injection approach

Post by waffles2.0 » Mon Aug 22, 2016 3:54 pm

I assume he is referring to this, maybe?

https://www.trustwave.com/Resources/Spi ... Processes/

DMEW
Posts: 15
Joined: Mon May 04, 2015 7:39 pm

Re: ntUnmapViewOfSection vs dll injection approach

Post by DMEW » Mon Aug 22, 2016 10:35 pm

Yes, the article describes the technique Im referring to. Maybe there is no benefit...just another technique

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: ntUnmapViewOfSection vs dll injection approach

Post by EP_X0FF » Thu Aug 25, 2016 3:13 pm

Oh you mean zombie process. The only benefit is AV/FW bypass. This applies to the use of any non-CreateRemoteThread methods.
Ring0 - the source of inspiration

DMEW
Posts: 15
Joined: Mon May 04, 2015 7:39 pm

Re: ntUnmapViewOfSection vs dll injection approach

Post by DMEW » Fri Aug 26, 2016 3:32 pm

ah ok. thanks guys.

Post Reply