Archiv: process hollowing

16.05.2018 - 13:57 [ ]

Lost in Transaction: Process Doppelgänging

• Advanced Code Injections Overview
• GhostWriting
• AtomBombing
• PowerLoader + PowerLoaderEx
• PROPagate
• Reflective Loading
• Process Hollowing
• Injection method from over 10 years ago
• Has never received much attention


• Brief history of evasion techniques
• AV scanners
• Transacted NTFS (TxF)
• Evolution of Windows process loader

16.05.2018 - 13:18 [ ]

Microsoft’s Response to AtomBombing is Post-Infection Detection

(21.7.2017) The Microsoft update that addresses both “Process Hollowing” and “AtomBombing” will only be available for those that have purchased Windows Defender and will only be available in October or November 2017. Windows Defender ATP has only been addressing security issues for less than a year and Windows customers have to purchase Windows Defender ATP.

16.05.2018 - 12:46 [ ]

A Spy in the Machine

(21.1.2015) He changed his password, alerted his friend, and stopped using Facebook Messenger — but the intrusions kept coming.

In another instance, Moosa noticed that someone posing as him solicited his female Facebook friends for sex — part of an effort, it seemed, to blackmail or perhaps defame him in Bahrain’s conservative media. Facebook was only the beginning. Unbeknownst to him, Moosa’s phone and computer had been infected with a highly sophisticated piece of spyware, built and sold in secret. The implant effectively commandeered his digital existence, collecting everything he did or said online.