New Process Hollowing Attack Vectors Uncovered in Windows 11 (24H2)

Process hollowing, also known as RunPE, has long been a favored technique in malware development and offensive tooling.

It allows malicious executables to masquerade under the guise of benign processes.

However, recent updates in Windows 11 (version 24H2) have introduced significant challenges to this technique.

The latest release, which debuted on October 1, 2024, incorporates changes to the Windows loader that disrupt the functionality of process hollowing implementations.

The Root Cause: MEM_PRIVATE vs. MEM_IMAGE

The issue arises during the execution phase when a malicious payload is implanted into a suspended process.

On resumption, the process fails with error code 0xC0000141. This failure is traced to modifications in the Windows loader, particularly new functionality supporting hotpatching.

Traditionally, process hollowing stores the payload in private memory (MEM_PRIVATE) rather than as an image (MEM_IMAGE).

This discrepancy becomes critical with the introduction of a new function, RtlpInsertOrRemoveScpCfgFunctionTable, which invokes ZwQueryVirtualMemory.

The latter function now includes an argument (MemoryImageExtensionInformation) that only supports MEM_IMAGE memory types.

When it encounters MEM_PRIVATE, it returns an invalid address error, halting the process initialization.

Proposed Solutions

Developers can switch to newer process impersonation methods that store payloads as MEM_IMAGE. Techniques such as Process Doppelganging, Process Ghosting, and Herpaderping utilize sections created via NtCreateSection and processes initialized using NtCreateProcessEx.

While effective, these methods are less convenient and leave identifiable traces in memory.

Hybrid techniques like Transacted Hollowing and Ghostly Hollowing offer closer parallels to classic process hollowing while ensuring compatibility with Windows 11 24H2.

These approaches map payloads as unnamed MEM_IMAGE, preserving some stealth characteristics.

Another advanced method, Process Overwriting, maps payloads as named MEM_IMAGE, further mimicking legitimate executable behavior.

For those who prefer to retain the original RunPE implementation, patching the NTDLL library offers a workaround.

By modifying ZwQueryVirtualMemory to bypass checks for specific memory regions containing the payload, developers can circumvent the error.

According to the report, this solution requires precise filtering to minimize side effects and is applicable only to 64-bit processes on Windows 11 24H2 or later.

The updates in Windows 11 24H2 underscore Microsoft’s ongoing efforts to enhance security by disrupting traditional malware techniques.

While alternatives like Transacted Hollowing and Process Overwriting provide viable paths forward, they require additional complexity and trade-offs in stealth.

For researchers and developers relying on process hollowing, these changes necessitate either adopting new methodologies or implementing targeted patches to maintain compatibility.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here