Back to Blog

Detecting Process Hollowing via ETW Threat Intelligence Tracing

Threat Detection

Detecting Process Hollowing via ETW Threat Intelligence Tracing

In the escalating arms race between malware authors and endpoint detection and response (EDR) vendors, the battlefield has shifted from user-mode API hooking to kernel-level visibility. For years, security products relied heavily on hooking functions within `ntdll.dll` to intercept suspicious activity. However, as adversaries transitioned to using direct syscalls-bypassing the hooked user-mode functions entirely-traditional EDRs were left effectively blind.

To counter this evasion, Microsoft introduced the ETW Threat Intelligence (ETW-TI) provider. This kernel-mode telemetry source provides visibility into the execution of system calls at the boundary where the user-mode request meets the kernel-mode implementation. For detection engineers, this represents a paradigm shift: we can now observe the fundamental operations of the operating system, regardless of how the caller attempts to hide their intent.

One of the most critical use cases for ETW-TI is detecting Process Hollowing, a stealthy injection technique that allows an adversary to execute malicious code within the context of a legitimate, trusted process.

The Anatomy of Process Hollowing

Process hollowing involves replacing the executable code of a legitimate process with a malicious payload. The lifecycle of a hollowing attack typically follows a predictable sequence of system calls:

  1. Creation: The attacker starts a legitimate system process (e.g., `svchost.exe` or `explorer.exe`) in a `CREATE_SUSPENDED` state.
  2. Unmapping: The attacker uses `NtUnmapViewOfSection` to "hollow out" the memory of the legitimate executable, effectively removing the original code from the process's address space.
  3. Allocation & Injection: The attacker allocates new memory within the suspended process using `NtAllocateVirtualMemory` and writes the malicious payload into that space using `NtWriteVirtualMemory`.
  4. Context Manipulation: The attacker uses `NtSetThreadContext` to modify the instruction pointer (`EIP`/`RIP`) of the suspended thread, pointing it toward the entry point of the newly injected payload.
  5. Resumption: Finally, `NtResumeThread` is called, triggering the execution of the malicious code under the guise of the original, trusted process.

While an attacker can bypass `WriteProcessMemory` hooks by using direct `syscall` instructions, they cannot bypass the fact that the kernel must still perform the `NtWriteVirtualMemory` operation. This is where ETW-PCI becomes indispensable.

Leveraging ETW-TI for Detection

The `Microsoft-Windows-Threat-Intelligence` provider emits events directly from the kernel. Unlike user-mode telemetry, these events are generated during the execution of the syscall itself. This makes them resistant to evasion via unhooking or direct syscalls.

To build a robust detection logic for process hollowing, we shouldn't look for a single event, but rather a correlated sequence of events involving a specific source and target process.

The Detection Logic

A high-fidelity detection signature should monitor for the following pattern involving a single `TargetProcessId`:

  1. Event: `PROCESS_CREATE`
  • Condition: The process is created with the `CREATE_SUSPENDED` flag.
  • Significance: This marks the beginning of the target's lifecycle in a manipulatable state.
  1. Event: `NT_UNMAP_VIEW_OF_SECTION`
  • Condition: The operation targets the base address of the newly created process.
  • Significance: This is the "hollowing" step. While not always present in all variants, it is a high-signal indicator of memory unmapping.
  1. Event: `NT_WRITE_VIRTUAL_MEMORY` or `NT_PROTECT_VIRTUAL_MEMORY`
  • Condition: The `SourceProcessId` (the attacker) is performing writes or permission changes (e.g., changing `PAGE_READONLY` to `PAGE_EXECUTE_READWRITE`) on the `TargetProcessId`.
  • Significance: This indicates the payload is being moved into the hollowed space.
  1. 'Event: `NT_SET_THREAD_CONTEXT`
  • Condition: The `SourceProcessId` modifies the thread context of the `TargetProcessId`, specifically targeting the `RIP`/`EIP` register.
  • Significance: This is the "smoking gun." Modifying the instruction pointer of a remote, suspended process is a highly suspicious operation that is rarely seen in legitimate software.

Implementation Considerations

When implementing this in a modern security stack (such as a custom EDR agent or a specialized monitoring tool), consider the following:

  • Correlation Window: You must maintain a stateful buffer of recent process creation events. Because these events occur in a sequence

Conclusion

As shown across "The Anatomy of Process Hollowing", "Leveraging ETW-TI for Detection", a secure implementation for detecting process hollowing via etw threat intelligence tracing depends on execution discipline as much as design.

The practical hardening path is to enforce host hardening baselines with tamper-resistant telemetry, behavior-chain detection across process, memory, identity, and network telemetry, and continuous control validation against adversarial test cases. This combination reduces both exploitability and attacker dwell time by forcing failures across multiple independent control layers.

Operational confidence should be measured, not assumed: track time from suspicious execution chain to host containment and reduction in reachable unsafe states under fuzzed malformed input, then use those results to tune preventive policy, detection fidelity, and response runbooks on a fixed review cadence.

Related Articles

Explore related cybersecurity topics:

Recommended Next Steps

If this topic is relevant to your organisation, use one of these paths:

← Back to All Posts Compare Services Get Quote