Process Hollowing
View on attack.mitre.org →11 syscalls implement this technique
- NtWriteVirtualMemory
Writes a buffer from the caller into the virtual address space of a target process.
- NtCreateSection
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtMapViewOfSection
Maps a view of a section object into the virtual address space of a target process.
- NtMapViewOfSectionEx
Windows 10 1809+ extended section-mapping syscall that accepts MEM_EXTENDED_PARAMETER constraints.
- NtUnmapViewOfSection
Unmaps a previously mapped section view from a process's virtual address space.
- NtCreateThreadEx
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtCreateProcess
Legacy NT-style process creation from a pre-built section object — predecessor of NtCreateProcessEx and NtCreateUserProcess.
- NtCreateProcessEx
Creates a new process from a section handle without running ntdll process initialization — building block of process hollowing.
- NtResumeProcess
Decrements every thread's suspend count in a target process, resuming threads that reach zero.
- NtResumeThread
Decrements the suspend count of a thread, resuming execution when the count reaches zero.
- NtCommitTransaction
Commits a KTM transaction, atomically persisting every change made under it to disk.