chore: fix license, add disclaimer, quick start, GitHub topics, issue templates

This commit is contained in:
mukul975
2026-03-11 01:42:17 +01:00
parent e09b84a7da
commit 4ed6f49151
1468 changed files with 152538 additions and 13660 deletions
@@ -1,103 +1,44 @@
# API Reference: Process Hollowing Detection
# API Reference: Detecting Process Hollowing Technique
## MITRE ATT&CK Mapping
- **Technique**: T1055.012 — Process Hollowing
- **Tactic**: Defense Evasion, Privilege Escalation
## Process Hollowing API Sequence
## Windows API Functions Used in Hollowing
| Step | API Call | Purpose |
|------|----------|---------|
| 1 | CreateProcess(SUSPENDED) | Create target suspended |
| 2 | NtUnmapViewOfSection | Unmap legitimate code |
| 3 | VirtualAllocEx | Allocate for payload |
| 4 | WriteProcessMemory | Write malicious code |
| 5 | SetThreadContext | Redirect execution |
| 6 | ResumeThread | Execute payload |
### CreateProcessA/W (kernel32.dll)
```c
BOOL CreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags, // CREATE_SUSPENDED = 0x4
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
## Commonly Hollowed Processes
| Process | Reason |
|---------|--------|
| svchost.exe | Trusted, always running |
| explorer.exe | UI process |
| notepad.exe | Simple, rarely monitored |
| dllhost.exe | COM surrogate |
## Sysmon Detection Events
| Event ID | Detection |
|----------|-----------|
| 1 | Suspicious parent-child |
| 8 | CreateRemoteThread into hollowed target |
| 10 | Process Access with PROCESS_ALL_ACCESS |
## Splunk SPL
```spl
index=sysmon EventCode=10
| where TargetImage IN ("*\svchost.exe","*\explorer.exe")
| where GrantedAccess IN ("0x1FFFFF","0x1F3FFF")
| table _time SourceImage TargetImage GrantedAccess Computer
```
### NtUnmapViewOfSection (ntdll.dll)
```c
NTSTATUS NtUnmapViewOfSection(
HANDLE ProcessHandle,
PVOID BaseAddress
);
```
### VirtualAllocEx (kernel32.dll)
```c
LPVOID VirtualAllocEx(
HANDLE hProcess,
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect // PAGE_EXECUTE_READWRITE = 0x40
);
```
### WriteProcessMemory (kernel32.dll)
```c
BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPCVOID lpBuffer,
SIZE_T nSize,
SIZE_T *lpNumberOfBytesWritten
);
```
### ResumeThread (kernel32.dll)
```c
DWORD ResumeThread(HANDLE hThread);
```
## Detection via Linux /proc Filesystem
### /proc/[pid]/exe
Symlink to the actual executable. If deleted or replaced, shows `(deleted)`.
### /proc/[pid]/maps
```
address perms offset dev inode pathname
00400000-00452000 r-xp 00000000 08:02 173521 /usr/bin/target
```
### /proc/[pid]/status
```
Name: svchost
Pid: 1234
PPid: 567
VmExe: 512 kB
```
## Sysmon Event IDs for Detection
| Event ID | Description |
|----------|-------------|
| 1 | Process Create (check CREATE_SUSPENDED flag) |
| 8 | CreateRemoteThread |
| 10 | ProcessAccess (PROCESS_VM_WRITE + PROCESS_VM_OPERATION) |
| 25 | ProcessTampering (image replaced) |
## PowerShell Detection Queries
### Get process with module mismatch
```powershell
Get-Process | Where-Object {
$_.Path -and $_.MainModule.FileName -and
($_.Path -ne $_.MainModule.FileName)
}
```
### Check for suspended child processes
```powershell
Get-CimInstance Win32_Process | Where-Object {
$_.ExecutionState -eq 'Suspended'
} | Select-Object ProcessId, Name, ParentProcessId, CommandLine
## CLI Usage
```bash
python agent.py --sysmon-log Sysmon.evtx
```