August 4, 2020

DLL Injection And Process Hollowing Detection in Pest Code Analysis

In forensic information examinations, computers that are thought to have been compromised by a malicious code sometimes come out, and we are expected to detect these harmful codes, how and when the harmful code got into the system, what the capabilities of this harmful code are, and how it provides the continuity in the system. First of all, if it is suspected that malicious code is working on the system to be analyzed, it is necessary to underline that the data must be collected by performing a live examination on the relevant system. This data includes the physical memory of the related computer, which we will analyze later. Analysis methods will be carried out on the physical memory of the computer on which the potentially harmful code is running.

DLL injection

The method called DLL injection is one of the most used methods by the harmful codes that we encounter today, and this method is a method that harmful codes use to hide. These codes, which work by settling in the memory area of ​​a harmless process, cannot be detected in the analyzes carried out by careless eyes and these harmless codes can continue their existence for a long time on the systems they are infected with. In addition, in-memory analysis, harmful codes that are located in memory can be easily detected with DLL injection method. There are many methods that malicious code can use for DLL injection. For example, malicious code can load the corresponding DLL into the memory area of ​​the harmless process by calling functions such as VirtualAllocEx (), CreateRemoteThread (), SetWindowsHookEx ().

Process Hollowing

The method called Process Hollowing is slightly different from the method we have described above. The malicious code using this method first runs a valid system process, then stops that process, and then replaces its codes with the original codes of that process, and finally runs the code that it stopped and settled in the system.

Using the methods I described above, it is possible to easily detect harmful codes placed in the system by performing memory analysis. It will be enough for the memory analysis software we will use to read the VAD (Virtual Address Descriptors) structure for each process, to analyze the memory regions allocated to these processes, to find the memory sections marked as executable (Page_Execute_ReadWrite), and then to check whether the codes in these memory sections have a counterpart on the disk. When the memory analysis software detects that the executable code in the respective memory region does not have a counterpart on the disk, it concludes that the memory area is most likely an injection area. Process Hollowing is much easier to detect. If the running process cannot be associated with a file on the disk, we can say that we are facing a process hollowing process.


You can use Mandiant RedLine or Volatility as memory analysis software to detect the above methods. We will explain how to determine with both. Let’s start with Volatility. Thanks to the mallfind command in volatility, we can easily learn the injected pieces of code. An example of usage is shown below. As can be seen, executable code fragments starting with MZ are located in memory areas marked as Page_Execute_ReadWrite.


DLL injection – Mandiant Redline

With DLL injection, we can easily detect the codes that are stored in the memory with Mandiant’s Redline software. When we analyze the memory image we used in the example above with Redline this time, we can see the processes injected codes are injected by clicking the Injected Memory Sections link in the Memory Section section, as can be seen from the screenshot below.

DLL injection - Mandiant Redline
DLL injection – Mandiant Redline


To get more detailed information about the injected codes in the list on this screen, it will be enough to select the relevant part and click the More Details link that appears at the bottom. You will see a window similar to the one below, with more detailed information. As we mentioned above, Mapped is False for injected codes.

Mandiant Redline-More Details
Mandiant Redline-More Details


Process Hollowing – Volatility

One of the fastest methods available for Process Hollowing detection is the pstree command in Volatility. In the output of this command, we can quickly learn when each process is started by which process. We can run the command on a sample memory image we have and look at the results.

Process Hollowing - Volatility
Process Hollowing – Volatility


In the above output, lsass.exe processes draw our attention. The lsass.exe (Local Security Authority Subsystem Service) process, which is run by the winlogon.exe process under normal conditions and only needs to run one in each system, appears as three on the computer we examine. We can see that the lsass.exe process, which has a PID value of 680, is run by winlogon.exe and the time to run coincides with winlogon.exe. This tells us that this is the real lsass.exe process. When we look at the other two lsass.exe processes, we can say that they are run by services.exe and installed on the system long after the computer starts.

In order to detect Process Hollowing with Mandiant Redline, it will be sufficient to look at the MRI (Malware Risk Index) Report results produced as a result of the relevant analysis. Thanks to the automated identification feature in Redline, we can easily detect such harmful processes. The result of the MRI Report obtained as a result of the analysis made with Mandiant Redline on the sample memory image above is shown below.

Mandiant Redline - MRI Report
Mandiant Redline – MRI Report


Leave a Reply

Your email address will not be published. Required fields are marked *