Hello and welcome to the Thursday, September 15th, 2020 edition of the Sandsenet Storms, and at Storms,

Stormcast, my name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier today looked at how process hollowing is used by Python malware on Windows.

Process hollowing is not a technique that's typically associated with Python.

Process hollowing uses a benign process, let's say, Notepad or in an Explorer, or these days,

Chrome's and such, and then if the process is currently suspended,

injects malicious code into the process's address space.

So now the malicious code is executed as part of this benign process.

So the particular program will not be changed on disk. It will just be changed

in memory, and of course that makes it more difficult to then detect the malicious code.

Now this certainly sounds like a complex trick to pull off and something people may more

associate with software written specifically for Windows in languages like C, but

well, it turns out that Windows actually has an API for this, and there's some benign software

that actually uses that same technique, which first of all makes it easier to employ this

trick, but also there is a Python library that will actually allow you to call

Windows APIs, and with that it opens it up two languages like Python.

As typical for Python, someone else already did all the hard work for you.

There is a PIMM package that allows you to manipulate

the memory of Windows processes. All that hacker needs to do is include about four lines

of code in order to take advantage of this technique. And Xavier actually shows an example, code snippet, that Xavier found out in

the wild as part of the diary. The snippet looks like a simple backdoor and Xavier points out

that this may actually have been intended to be used as part of a penetration test or a test

...