Process Hollowing

An implementation of the Process Hollowing (also known as RunPE) technique.

x64 builds can hollow 64- & 32-bit images, but x86 builds can only hollow 32-bit images.

The implementation supports:

The implementation expects to get the images' paths via command-line arguments:

ProcessHollowing.exe <Target Path> <Payload Path>

The images must be both 64-bit or 32-bit, and, must be subsystem-compatible:

The payload's subsystem must be GUI, or, both of the images must have the same subsystem (console for example).

Add TLS Callback Injection option support, in addition to the option of overriding the target's entry point by modifying its context, for being stealthier

Name		Name	Last commit message	Last commit date
Latest commit History 28 Commits
exceptions		exceptions
.gitignore		.gitignore
CMakeLists.txt		CMakeLists.txt
DLLFunctionsLoader.cpp		DLLFunctionsLoader.cpp
DLLFunctionsLoader.hpp		DLLFunctionsLoader.hpp
Hollowing32Bit.cpp		Hollowing32Bit.cpp
Hollowing32Bit.hpp		Hollowing32Bit.hpp
Hollowing64Bit.cpp		Hollowing64Bit.cpp
Hollowing64Bit.hpp		Hollowing64Bit.hpp
HollowingInterface.hpp		HollowingInterface.hpp
Main.cpp		Main.cpp
NtdllFunctions.cpp		NtdllFunctions.cpp
NtdllFunctions.hpp		NtdllFunctions.hpp
ProcedurePointer.cpp		ProcedurePointer.cpp
ProcedurePointer.hpp		ProcedurePointer.hpp
README.md		README.md

Provide feedback