Process Hollowing (process replacement and runpe):
This is when the malware creates a new process that will host their malicious code, suspends the process, injects the malicious code to replace the memory space into the legitimate process, then resumes it which executes the malicious code. The host system's security measures don't flag this as it only recognizes the legitimate process, but not exactly what it's doing.
General steps in process hollowing:
Create a new process using the CreateProcessA() API. This process will act as a legitimate process and will be hollowed out.
NtSuspendProcess() is then used to suspend the new process.
Allocate memory in the suspended process using the VirtualAllocEx() API. This memory will be used to hold the malicious code.
Write the malicious code to the allocated memory using the WriteProcessMemory() API.
Modify the entry point of the process to point to the address of the malicious code using the SetThreadContext() and GetThreadContext() APIs.
Resume the suspended process using the NtResumeProcess() API. This will cause the process to execute the malicious code.
Clean up the process and any resources used during the process.
Asynchronous Procedure Call Injection and Atombombing
Extra Window Memory Injection
via setwindowlong
IAT and Inline Hooking (userland rootkits)
Anti-debugging Techniques
checking for presence of a debugger with IsDebuggerPresent
tampering with debug registers
self-modifying code
polymorphic code which has a "mutation engine" that changes its code signature with each replication or infection, while maintaining its core functionality. Typically achieved through encryption/decryption routines and varying encryption keys, making it difficult for signature-based antivirus software to detect consistently.