Presentation Material

Abstract

Hollow process injection is a code injection technique used by the malware authors to blend in with legitimate processes on the system and remain undetected; there are documented procedures to detect hollow process injection. This presentation focuses on undocumented hollow process injection techniques. By demonstrating the analysis (reverse engineering and forensics) of real-world malware samples, this presentation uncovers how malware authors (both APT and crimeware actors) are now using variations of hollow process injection techniques - not just to blend in but also to remain stealthy, bypass detection, confuse, divert the forensic analysis tools/techniques to create uncertainty in the minds of the security analyst.The presentation also covers how the malware can further be modified to deflect the forensic analysis tools/techniques there by creating a possible anti-forensic technique. The presentation also covers what to look for while investigating such malware attacks, when to rely on the forensic tools and when not to; from an incident response perspective, understanding such stealth techniques will help in countering and responding to such malware attacks. The presentation contains video demos of the analysis of different real world malware samples and also presents a Volatility plugin to detect such attacks.