Challenge 31: Process Hollowing vs Hash Check

Hard Signature Bypass Target: Rule 6

Objective

Bypass Rule 6 by loading malicious code into memory without changing the on-disk image that gets hashed.

Prerequisites

Start the EDR with signatures loaded:

edr_agent.exe --signatures signatures/malware_hashes.txt --verbose --no-kill

Scanner Behavior

Rule 6 hashes the on-disk file pointed to by the process image path:

let imgHash = sha256File(info.imagePath)

It never inspects what’s actually loaded in the process’s memory. Process hollowing creates a suspended process (with a clean image), unmaps the original sections, and maps malicious code in its place.

Rules

  • Start a legitimate process (e.g., svchost.exe) in a suspended state
  • Replace its memory with malicious code (process hollowing)
  • Resume the thread — the EDR hashes the clean on-disk svchost.exe
  • Rule 6 must not trigger

Hints

Hint 1 CreateProcess with CREATE_SUSPENDED flag, then NtUnmapViewOfSection + VirtualAllocEx + WriteProcessMemory.
Hint 2 The EDR reads info.imagePath which still points to the original legitimate binary on disk. The hash matches a clean system binary, not your payload.
Hint 3 This works because the EDR checks the file, not the memory. A real EDR with ETW-TI would see the NtUnmapViewOfSection and NtWriteVirtualMemory calls on a remote process.