Forget standard DLL Injection. Dropping files to disk is the easiest way to get caught by modern EDRs. In this video, we are evolving our tradecraft and going fileless.

Welcome back to Suit Up & Hack! Today, we are building a “Digital Puppet Master.” We will write a C++ program from scratch that takes a legitimate, trusted Windows binary (Notepad.exe), hollows out its memory, and forces it to execute our malicious shellcode.

Unlike our previous tutorials, this technique doesn’t rely on LoadLibrary. Instead, we perform “digital surgery” on a suspended process to hijack its execution flow.

In this deep-dive tutorial, we cover:

🔹 The Theory: Why Process Hollowing defeats static analysis.
🔹 The Setup: Using CreateProcessA to spawn a target in a SUSPENDED state.
🔹 The Surgery: Allocating memory with VirtualAllocEx and writing raw bytes with WriteProcessMemory.
🔹 The Hijack: Using GetThreadContext and SetThreadContext to manipulate the RIP register (x64) and redirect the CPU.
🔹 The Demo: Watching a benign Notepad process pop our MSFvenom payload.

⚠️ Disclaimer: This video is for educational purposes and authorized red teaming engagements ONLY. The code demonstrated uses RWX permissions for demonstration purposes and should be run in a controlled lab environment.

00: 00 Introduction to Process Hollowing
00: 26 Overview of DLL Injection
00: 52 Evolving Tradecraft: Process Hollowing
01: 15 Stage One: Creating a Suspended Process
01: 40 Stage Two: Injecting Malicious Shell Code
02: 04 Stage Three: Hijacking the Process
02: 48 Building the Digital Puppet Master
03: 17 Setting Up the Shell Code
05: 16 Allocating Memory in the Target Process
06: 51 Writing and Executing the Shell Code
10: 43 Conclusion and Key Takeaways

#malwaredevelopment #redteaming #cybersecurity #cplusplus #ethicalhacking #windowsinternals