PichichiH0ll0wer: Nim process hollowing loader
PichichiH0ll0wer
Process hollowing loader written in Nim for PEs only
PichichiH0ll0wer has some features to protect your payload.
Features
- Configurable builder
- Payload encrypted and compressed (and optionally splitted) in the hollow loader
- Supports splitted injection using multiple processes
- Supports direct and indirect system calls
- Hollower does not use the very suspicious call Nt/ZwUnmapViewOfSection
- Can build EXE / DLL hollow loaders
- Can block unsigned Microsoft DLLs from being loaded to the hollowed process
- Supports anti-debug techniques with the ability to die or to execute useless calculations (‘troll’ mode)
- Obfuscated sleep using useless calculations
- Supports execution within VEH
- Supports command line Rc4 key to decrypt the payload
Injection methods
- Simple hollowing: just the usual stuff: VirtualAlloc -> WriteProcessMemory -> GetThreadContext -> SetThreadContext -> ResumeThread.
- Direct syscalls hollowing: using the great NimlineWhispers2.
- Indirect syscalls hollowing: using the great NimlineWhispers3.
- Splitted hollowing: each step of method (1) is occurring in a separate process with inherited handles.
- Splitted hollowing: each step of method (2) is occurring in a separate process with inherited handles.
- Splitted hollowing: each step of method (3) is occurring in a separate process with inherited handles.
An example of splitted hollowing of cscript.exe with cmd.exe that spawns whoami.exe:
Install & Use
Copyright (c) 2022 Itay Migdal
