{"id":169846,"date":"2025-11-27T01:41:55","date_gmt":"2025-11-27T01:41:55","guid":{"rendered":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/"},"modified":"2025-11-27T01:41:55","modified_gmt":"2025-11-27T01:41:55","slug":"c-malware-development-process-hollowing-tutorial","status":"publish","type":"post","link":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/","title":{"rendered":"C++ Malware Development: Process Hollowing Tutorial"},"content":{"rendered":"<div class=\"youtubomatic-video-container\"><iframe loading=\"lazy\" width=\"580\" height=\"380\" src=\"https:\/\/www.youtube.com\/embed\/oOttUc8Giyk?autoplay=1&#038;controls=1&#038;hl=en\" frameborder=\"0\" allowfullscreen><\/iframe><\/div>\n<p>Forget standard DLL Injection. Dropping files to disk is the easiest way to get caught by modern EDRs. In this video, we are evolving our tradecraft and going fileless.<\/p>\n<p>Welcome back to Suit Up &#038; Hack! Today, we are building a &#8220;Digital Puppet Master.&#8221; We will write a C++ program from scratch that takes a legitimate, trusted Windows binary (Notepad.exe), hollows out its memory, and forces it to execute our malicious shellcode.<\/p>\n<p>Unlike our previous tutorials, this technique doesn&#8217;t rely on LoadLibrary. Instead, we perform &#8220;digital surgery&#8221; on a suspended process to hijack its execution flow.<\/p>\n<p>In this deep-dive tutorial, we cover: <\/p>\n<p>\ud83d\udd39 The Theory: Why Process Hollowing defeats static analysis.<br \/>\n\ud83d\udd39 The Setup: Using CreateProcessA to spawn a target in a SUSPENDED state.<br \/>\n\ud83d\udd39 The Surgery: Allocating memory with VirtualAllocEx and writing raw bytes with WriteProcessMemory.<br \/>\n\ud83d\udd39 The Hijack: Using GetThreadContext and SetThreadContext to manipulate the RIP register (x64) and redirect the CPU.<br \/>\n\ud83d\udd39 The Demo: Watching a benign Notepad process pop our MSFvenom payload.<\/p>\n<p>\u26a0\ufe0f Disclaimer: This video is for educational purposes and authorized red teaming engagements ONLY. The code demonstrated uses RWX permissions for demonstration purposes and should be run in a controlled lab environment.<\/p>\n<p>00: 00 Introduction to Process Hollowing<br \/>\n00: 26 Overview of DLL Injection<br \/>\n00: 52 Evolving Tradecraft: Process Hollowing<br \/>\n01: 15 Stage One: Creating a Suspended Process<br \/>\n01: 40 Stage Two: Injecting Malicious Shell Code<br \/>\n02: 04 Stage Three: Hijacking the Process<br \/>\n02: 48 Building the Digital Puppet Master<br \/>\n03: 17 Setting Up the Shell Code<br \/>\n05: 16 Allocating Memory in the Target Process<br \/>\n06: 51 Writing and Executing the Shell Code<br \/>\n10: 43 Conclusion and Key Takeaways<\/p>\n<p>#malwaredevelopment #redteaming  #cybersecurity  #cplusplus  #ethicalhacking  #windowsinternals<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Forget standard DLL Injection. Dropping files to disk is the easiest way to get caught by modern EDRs. In this video, we are evolving our tradecraft and going fileless. Welcome back to Suit Up &#038; Hack! Today, we are building a &#8220;Digital Puppet Master.&#8221; We will write a C++ program from scratch that takes a legitimate, trusted Windows binary (Notepad.exe), hollows out its memory, and forces it to execute our&#8230;<\/p>\n","protected":false},"author":1,"featured_media":169847,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[1],"tags":[],"class_list":["post-169846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>C++ Malware Development: Process Hollowing Tutorial - UshopWell.com<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"C++ Malware Development: Process Hollowing Tutorial - UshopWell.com\" \/>\n<meta property=\"og:description\" content=\"Forget standard DLL Injection. Dropping files to disk is the easiest way to get caught by modern EDRs. In this video, we are evolving our tradecraft and going fileless. Welcome back to Suit Up &#038; Hack! Today, we are building a &#8220;Digital Puppet Master.&#8221; We will write a C++ program from scratch that takes a legitimate, trusted Windows binary (Notepad.exe), hollows out its memory, and forces it to execute our...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/\" \/>\n<meta property=\"og:site_name\" content=\"UshopWell.com\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-27T01:41:55+00:00\" \/>\n<meta name=\"author\" content=\"UShopWell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"UShopWell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/\"},\"author\":{\"name\":\"UShopWell\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/person\\\/6fd1f9e0ff932e534c86c70d5acff0fc\"},\"headline\":\"C++ Malware Development: Process Hollowing Tutorial\",\"datePublished\":\"2025-11-27T01:41:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/\"},\"wordCount\":259,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/169846\\\/c-malware-development-process-hollowing-tutorial.jpg\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/\",\"name\":\"C++ Malware Development: Process Hollowing Tutorial - UshopWell.com\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/169846\\\/c-malware-development-process-hollowing-tutorial.jpg\",\"datePublished\":\"2025-11-27T01:41:55+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#primaryimage\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/169846\\\/c-malware-development-process-hollowing-tutorial.jpg\",\"contentUrl\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/169846\\\/c-malware-development-process-hollowing-tutorial.jpg\",\"width\":480,\"height\":360,\"caption\":\"C++ Malware Development: Process Hollowing Tutorial\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/c-malware-development-process-hollowing-tutorial\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"C++ Malware Development: Process Hollowing Tutorial\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#website\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/\",\"name\":\"UshopWell.com\",\"description\":\"The Premiere Online Marketplace\",\"publisher\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#organization\",\"name\":\"UshopWell\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/pandaSwea.png\",\"contentUrl\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/pandaSwea.png\",\"width\":365,\"height\":359,\"caption\":\"UshopWell\"},\"image\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/person\\\/6fd1f9e0ff932e534c86c70d5acff0fc\",\"name\":\"UShopWell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g\",\"caption\":\"UShopWell\"},\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/author\\\/kburnettu\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"C++ Malware Development: Process Hollowing Tutorial - UshopWell.com","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/","og_locale":"en_US","og_type":"article","og_title":"C++ Malware Development: Process Hollowing Tutorial - UshopWell.com","og_description":"Forget standard DLL Injection. Dropping files to disk is the easiest way to get caught by modern EDRs. In this video, we are evolving our tradecraft and going fileless. Welcome back to Suit Up &#038; Hack! Today, we are building a &#8220;Digital Puppet Master.&#8221; We will write a C++ program from scratch that takes a legitimate, trusted Windows binary (Notepad.exe), hollows out its memory, and forces it to execute our...","og_url":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/","og_site_name":"UshopWell.com","article_published_time":"2025-11-27T01:41:55+00:00","author":"UShopWell","twitter_card":"summary_large_image","twitter_misc":{"Written by":"UShopWell","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#article","isPartOf":{"@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/"},"author":{"name":"UShopWell","@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/person\/6fd1f9e0ff932e534c86c70d5acff0fc"},"headline":"C++ Malware Development: Process Hollowing Tutorial","datePublished":"2025-11-27T01:41:55+00:00","mainEntityOfPage":{"@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/"},"wordCount":259,"commentCount":0,"publisher":{"@id":"https:\/\/ushopwell.com\/ublog\/#organization"},"image":{"@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#primaryimage"},"thumbnailUrl":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2025\/12\/169846\/c-malware-development-process-hollowing-tutorial.jpg","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/","url":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/","name":"C++ Malware Development: Process Hollowing Tutorial - UshopWell.com","isPartOf":{"@id":"https:\/\/ushopwell.com\/ublog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#primaryimage"},"image":{"@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#primaryimage"},"thumbnailUrl":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2025\/12\/169846\/c-malware-development-process-hollowing-tutorial.jpg","datePublished":"2025-11-27T01:41:55+00:00","breadcrumb":{"@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#primaryimage","url":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2025\/12\/169846\/c-malware-development-process-hollowing-tutorial.jpg","contentUrl":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2025\/12\/169846\/c-malware-development-process-hollowing-tutorial.jpg","width":480,"height":360,"caption":"C++ Malware Development: Process Hollowing Tutorial"},{"@type":"BreadcrumbList","@id":"https:\/\/ushopwell.com\/ublog\/c-malware-development-process-hollowing-tutorial\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ushopwell.com\/ublog\/"},{"@type":"ListItem","position":2,"name":"C++ Malware Development: Process Hollowing Tutorial"}]},{"@type":"WebSite","@id":"https:\/\/ushopwell.com\/ublog\/#website","url":"https:\/\/ushopwell.com\/ublog\/","name":"UshopWell.com","description":"The Premiere Online Marketplace","publisher":{"@id":"https:\/\/ushopwell.com\/ublog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ushopwell.com\/ublog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/ushopwell.com\/ublog\/#organization","name":"UshopWell","url":"https:\/\/ushopwell.com\/ublog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/logo\/image\/","url":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2018\/01\/pandaSwea.png","contentUrl":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2018\/01\/pandaSwea.png","width":365,"height":359,"caption":"UshopWell"},"image":{"@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/person\/6fd1f9e0ff932e534c86c70d5acff0fc","name":"UShopWell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g","caption":"UShopWell"},"url":"https:\/\/ushopwell.com\/ublog\/author\/kburnettu\/"}]}},"_links":{"self":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/posts\/169846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/comments?post=169846"}],"version-history":[{"count":0,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/posts\/169846\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/media\/169847"}],"wp:attachment":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/media?parent=169846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/categories?post=169846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/tags?post=169846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}