A cross-architecture (x86/x64) PE process hollowing implementation using direct syscall resolution via API hashing and D/Invoke-style function lookup.
- D/Invoke - Runtime API resolution through PEB traversal and export table walking, avoiding static imports
- API Hashing - FNV-1 based hash lookup to resolve function addresses without plaintext API strings
- WinHTTP Payload Staging - Fetches PE payload from a remote HTTP server (harcoded 127.0.0.1)
- Process Hollowing - Injects and executes a PE payload inside a suspended legitimate process:
- Copies PE headers from the staged payload
- Spawns a target process in a suspended state
- Allocates memory and writes headers + sections into the remote process
- Patches the relocation table to account for image base delta (x86 and x64)
- Redirects the entry point via thread context and resumes execution
- Conditional Debug Output - Debug logging via
DBG_PRINTF, compiled out in Release builds
Open HollowCore.sln in Visual Studio. Supports both x86 and x64 platform targets.
- Debug build: includes
stdio.hand verbose console output for development - Release build: all
DBG_PRINTFcalls compile to no-ops,stdio.his excluded
Check the source code.
main()
+-- FindBaseLibs() PEB walk to locate kernel32.dll and ntdll.dll
+-- FindFunctionByHash() Export table walk with FNV-1 hash
+-- ntapi_winhttp_method()
+-- WinHTTP payload download (chunked, accumulated buffer)
+-- CopyPENTHeader() Validate and copy PE NT headers
+-- launchSuspendedProcess() CreateProcessA with CREATE_SUSPENDED
+-- NtAllocateVirtualMemory Remote memory allocation
+-- NtWriteVirtualMemory Write headers and sections
+-- FixRelocationTable() Patch base relocation entries
+-- ChangeEntryPointAndResume() Set thread context and NtResumeThread
- Payload encryption for staged PE
- User-Agent validation on the staging server