Overview

Process Hollowing is a common technique used by modern malware to create a process which appears legitimate when viewed in tools such as Task Manager, but whose code has in fact been replaced with malicious content.

This post will outline the API calls used in Process Hollowing and will explain how to follow the mechanism in OllyDbg, in order to be able to attach to the new process before it can execute any of the malicious code.