Which of the following best describes the process hollowing technique used by attackers to execute malicious code while evading process-based defenses?
Force an existing process to load a malicious DLL by calling LoadLibrary through a remote thread.
Encrypt malware in memory and decrypt only small chunks immediately before execution to avoid static detection.
Launch a legitimate process in a suspended state, hollow out its memory, inject a malicious payload, and resume the process so the payload runs under the trusted process name.
Replace the import address table (IAT) of a process so that API calls are redirected to attacker-controlled functions.
Process hollowing starts a legitimate process (for example, explorer.exe) in a suspended state, removes (unmaps) the original code from its address space, writes the attacker's payload into the now-empty memory region, adjusts the thread context to point to the malicious entry point, and then resumes the thread. Because the process appears to be a normal signed executable, many security tools that only inspect new process creation events can be bypassed. DLL injection (choice B) and IAT hooking (choice C) modify a running process in different ways, while in-memory obfuscation (choice D) changes how code is stored, not where it runs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is process hollowing and how does it work?
Open an interactive chat with Bash
Why is process hollowing used by attackers?
Open an interactive chat with Bash
What are the signs of process hollowing and how can it be detected?