Skip to content
Phantom DLL hollowing PoC
HTML CSS C++ JavaScript
Branch: master
Clone or download

Latest commit

Latest commit f4f2033 Mar 13, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
MemSweep Update MemSweep.cpp Mar 13, 2020
PhantomDllHollower Revert "Removed original memory scanner" Oct 15, 2019
Site Moved HTML save of article and added README with compatability info Dec 10, 2019
.gitignore Added gitignore, license, readme Oct 8, 2019
LICENSE Added gitignore, license, readme Oct 8, 2019
README.md Update README.md Oct 8, 2019

README.md

Phantom DLL hollowing

DLL hollowing is a technique which can be used to provide stealth for malware in memory, either within the local process or a remote one (in combination with process injection/hollowing). This PoC code is associated with the blog post at https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing

This solution contains two projects. The first is a PoC which can execute DLL hollowing using either the classic or phantom (TxF) method. It takes a user-supplied shellcode and only targets the address space of the local process. The second project is a memory scanner, which can enumerate the regional attributes of a user-provided PID, or all accessible processes. It can also collect statistics on the most common permissions for different types of memory.

Compilation

Visual Studio Community 2019 Release|x86 Release|x64

Usage

Usage

PhantomDllHollower.exe (shellcode file path) "txf" (optional, phantom hollow using TxF)

You can’t perform that action at this time.