Process hollowing

Process hollowing is a type of malware that creates a copy of a legitimate process in order to hide its malicious code. The legitimate process is then terminated and replaced with the malicious copy, which can be used to evade detection and perform malicious actions.

Process hollowing is a common technique used by malware, particularly rootkits and backdoors. It can be used to bypass security measures, such as antivirus software, and to gain persistence on a system. Process hollowing can also be used for legitimate purposes, such as to inject code into a process for debugging or performance monitoring.

What is process Doppelgänging?

Doppelgänging is a process isolation technique that allows a process to be run in two separate security contexts. The technique is also known as process forking.

Doppelgänging is used to improve security by allowing a process to be run in a more restricted security context than the parent process. This can be useful if the process needs to access sensitive data or perform privileged operations.

Doppelgänging can also be used to improve performance by allowing a process to be run in a separate process space. This can be useful if the process is CPU-intensive or if it is using a lot of memory.

Doppelgänging is a advanced technique and should only be used if absolutely necessary.

What is hook injection technique?

Hook injection is a technique used to inject code into a process in order to alter or extend the functionality of that process. The code that is injected is typically called a "hook" and can be used to intercept function calls or messages, modify data, etc.

There are many different ways to inject code into a process, but the most common methods are through DLL injection or API hooking. DLL injection involves injecting code into a process by loading a DLL into the process's address space. API hooking involves intercepting calls to a process's API functions and redirecting them to a custom function.

Hook injection can be used for a variety of purposes, such as debugging, monitoring, or modifying the behavior of a process. What is process replacement? Process replacement is the creation of a new process by copying the attributes of an existing process. This is typically done to replace a process that is no longer running or has crashed.

What is DLL side loading?

DLL side loading occurs when a program tries to load a DLL (dynamic link library) from a location other than the standard Windows system directories. This can happen if the program is not properly configured, or if a malicious program has modified the system's search path.

DLL side loading can cause problems because the program may not be able to find the DLL it needs, or it may find the wrong DLL. Either way, the program may not work properly. In some cases, DLL side loading can be used to exploit security vulnerabilities.

To help prevent DLL side loading, Microsoft has introduced a new security feature called application whitelisting. With application whitelisting, you can specify which programs are allowed to run on your system. This can help prevent malicious programs from running, and can also help prevent mistakes that can lead to DLL side loading.

Are rootkits malware?

Rootkits are a type of malware that allows attackers to gain control of a system without being detected. They are often used to steal sensitive information or to allow an attacker to remotely control the system. Rootkits can be difficult to detect and remove, and they can cause serious damage to a system.