To detect hollow process injection, you can look for the discrepancies created between PEB and VAD, as well as the memory protection discrepancy. You can also look for the discrepancy in the parent-child process relationship. In the following Stuxnet example, you can see that there are two lsass.exe processes running on the system. The first lsass.exe process (pid 708) has a parent process of winlogon.exe (pid 652), whereas the second lsass.exe process (pid 1732) has a parent process (pid 1736) which is terminated. Based on the process information, you can tell that lsass.exe with a pid of 1732 is the suspicious process because, on a clean system, winlogon.exe will be the parent process of lsass.exe on pre-Vista machines and wininit.exe will be the parent process of lsass.exe on Vista and later systems:
$ python vol.py -f stux.vmem --profile=WinXPSP3x86 pslist | grep -i lsass
Volatility Foundation Volatility Framework 2.6
0x818c1558 lsass.exe 708 652 24 343 0 0 2016-05-10 06:47:24+0000
0x81759da0 lsass.exe 1732 1736 5 86 0 0 2018-05-12 06:39:42
$ python vol.py -f stux.vmem --profile=WinXPSP3x86 pslist -p 652
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
---------- ------------ ---- ---- ---- ---- --- ------ ------------------
0x818321c0 winlogon.exe 652 332 23 521 0 0 2016-05-10 06:47:24
$ python vol.py -f stux.vmem --profile=WinXPSP3x86 pslist -p 1736
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : Cannot find PID 1736. If its terminated or unlinked, use psscan and then supply --offset=OFFSET
As mentioned earlier, you can detect hollow process injection by comparing the PEB and VAD structure. The dlllist plugin, which gets module information from the PEB, shows the full path to lsass.exe (pid 1732) and the base address (0x01000000) where it is loaded:
lsass.exe pid: 1732
Command line : "C:\WINDOWS\\system32\\lsass.exe"
Service Pack 3
Base Size Load Count Path
---------- ------- ------ -------------------------------
0x01000000 0x6000 0xffff C:\WINDOWS\system32\lsass.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
[REMOVED]
The ldrmodules plugin, which relies on VAD in the kernel, does not show the full path name to the lsass.exe. As a result of malware unmapping the lsass.exe process executable section, the full path name is no longer associated with the address 0x01000000:
$ python vol.py -f stux.vmem --profile=WinXPSP3x86 ldrmodules -p 1732
Volatility Foundation Volatility Framework 2.6
Pid Process Base InLoad InInit InMem MappedPath
---- --------- ---------- ------ ------ ------ ----------------------------
[REMOVED]
1732 lsass.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll
1732 lsass.exe 0x71ad0000 True True True \WINDOWS\system32\wsock32.dll
1732 lsass.exe 0x77f60000 True True True \WINDOWS\system32\shlwapi.dll
1732 lsass.exe 0x01000000 True False True
1732 lsass.exe 0x76b40000 True True True \WINDOWS\system32\winmm.dll
[REMOVED]
Since the malware normally allocates memory with PAGE_EXECUTE_READWRITE permission after hollowing and before injecting the executable, you can look for that memory protection. The malfind plugin identified the suspicious memory protection at the same address (0x01000000) where the executable lsass.exe was loaded:
Process: lsass.exe Pid: 1732 Address: 0x1000000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, Protection: 6
0x01000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x01000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x01000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x01000030 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 ................
0x01000000 4d DEC EBP
0x01000001 5a POP EDX
0x01000002 90 NOP
If you wish to dump the suspicious memory regions detected by malfind to disk, you can specify -D followed by the directory name where all the suspicious memory regions will be dumped.