Process hollowing is a sophisticated technique used by cyber attackers to inject malicious code into legitimate processes running on a computer system. This technique is often used to bypass security measures and gain unauthorized access to system resources. The term “process hollowing” refers to the method of hollowing out the memory space of a legitimate process and replacing it with malicious code.

Process hollowing is a form of code injection, a broad category of cyber-attack techniques that involve inserting malicious code into an existing software process. This technique is particularly insidious because it allows the attacker to execute malicious code while appearing to be a legitimate process, thereby evading detection by security software.

Understanding Process Hollowing

Process hollowing is a complex technique that involves several steps. The first step is the selection of a target process, which is typically a legitimate process running on the system. The attacker then suspends the target process and hollows out its memory space, effectively creating a shell in which the malicious code can be inserted.

Once the memory space has been hollowed out, the attacker injects the malicious code into the shell. The malicious code is typically designed to perform some form of malicious activity, such as stealing sensitive information, launching a denial of service attack, or creating a backdoor into the system.

Selection of Target Process

The selection of the target process is a critical step in the process hollowing technique. The attacker typically chooses a process that is commonly found on the system and is unlikely to arouse suspicion. For example, the attacker might choose a process associated with a commonly used application, such as a web browser or email client.

The attacker might also choose a process that has the necessary permissions to perform the desired malicious activity. For example, if the attacker wants to modify system settings, they might choose a process that has administrative privileges.

Memory Hollowing

The next step in the process hollowing technique is to hollow out the memory space of the target process. This involves suspending the target process and then modifying its memory space to create a shell for the malicious code. This is typically done using low-level system calls that allow the attacker to directly manipulate the memory space of the process.

The hollowing out of the memory space is a delicate operation that requires a deep understanding of the target process and the operating system. If done incorrectly, it can cause the target process to crash, which might alert the user or system administrators to the attack.

Execution of Malicious Code

Once the memory space has been hollowed out and the malicious code has been injected, the attacker then resumes the execution of the target process. The malicious code is now running within the context of the legitimate process, and can perform its malicious activities without arousing suspicion.

The execution of the malicious code is typically done in such a way that it appears to be part of the normal operation of the target process. This can make it extremely difficult for security software to detect the malicious activity.

Stealth and Evasion

One of the key advantages of process hollowing is its ability to evade detection by security software. Because the malicious code is running within the context of a legitimate process, it can often bypass security measures that are designed to detect and block malicious processes.

Furthermore, because the malicious code is executing within the memory space of the target process, it can often evade detection by security software that scans the file system for malicious files. This makes process hollowing a particularly stealthy and effective technique for executing malicious code.

Malicious Activities

The malicious code injected through process hollowing can be designed to perform a wide range of malicious activities. These can include stealing sensitive information, such as usernames and passwords; launching denial of service attacks; creating a backdoor into the system; or downloading and installing additional malware.

The specific activities performed by the malicious code will depend on the goals of the attacker. However, regardless of the specific activities, the malicious code will typically be designed to operate stealthily, in order to avoid detection and prolong its presence on the system.

Prevention and Detection of Process Hollowing

Preventing and detecting process hollowing can be challenging due to its stealthy nature and the use of legitimate processes to execute malicious code. However, there are several strategies that can be used to mitigate the risk of process hollowing attacks.

One strategy is to use security software that is capable of detecting anomalous behavior in processes. This can include unusual memory usage, unexpected network connections, or unusual system calls. By monitoring for these signs of anomalous behavior, it may be possible to detect a process hollowing attack in progress.

Behavioral Analysis

Behavioral analysis is a technique used by some security software to detect malicious activity. This involves monitoring the behavior of processes and looking for signs of malicious activity. For example, if a process suddenly starts making unusual system calls or network connections, this could be a sign of a process hollowing attack.

Behavioral analysis can be an effective way to detect process hollowing attacks, but it requires a sophisticated understanding of normal process behavior. Furthermore, it can be resource-intensive, as it requires constant monitoring and analysis of process behavior.

Memory Forensics

Memory forensics is another technique that can be used to detect process hollowing attacks. This involves analyzing the memory space of processes to look for signs of malicious activity. For example, if a process’s memory space contains code that does not match the code on disk, this could be a sign of a process hollowing attack.

Memory forensics can be a powerful tool for detecting process hollowing attacks, but it requires specialized knowledge and tools. Furthermore, it can be time-consuming, as it involves analyzing large amounts of data.


Process hollowing is a sophisticated and stealthy technique used by cyber attackers to execute malicious code within the context of legitimate processes. While it can be challenging to detect and prevent, understanding how it works can help in developing effective strategies to mitigate its risks.

By monitoring for signs of anomalous behavior, using behavioral analysis and memory forensics, and employing security software capable of detecting such attacks, it is possible to protect systems against process hollowing and maintain the integrity of your digital environment.

With cybersecurity threats on the rise, organizations need to protect all areas of their business. This includes defending their websites and web applications from bots, spam, and abuse. In particular, web interactions such as logins, registrations, and online forms are increasingly under attack.

To secure web interactions in a user-friendly, fully accessible and privacy compliant way, Friendly Captcha offers a secure and invisible alternative to traditional captchas. It is used successfully by large corporations, governments and startups worldwide.

Want to protect your website? Learn more about Friendly Captcha »