PichichiH0ll0wer : Mastering Nim-Based Process Hollowing For Efficient Payload Management

PichichiH0ll0wer revolutionizes payload management with its Nim-based process hollowing capabilities.

This innovative tool offers configurable features, advanced injection methods, and robust protection mechanisms, making it a game-changer for Windows environments.

Explore how PichichiH0ll0wer streamlines the deployment of payloads while enhancing security and efficiency.

• PichichiH0ll0wer
• About
• Features
• Injection methods
• Installation
• Usage
• Credits

About

–== Process hollowing loader written in Nim for PEs only ==–

I built PichichiH0ll0wer to learn and contribute, sure. but also because I’m quite tired of shellcodes everywhere.

Loading PEs might be less evasive, I know, but it’s still efficient and more convenient than fighting to turn your PE payload into a shellcode each time (which not always works smoothly).

Also, PichichiH0ll0wer has some features to protect your payload. I may add some more injection techniques and features in the future. Supports only x64 EXEs currently.

Features

• Configurable builder
• Payload encrypted and compressed (and optionally splitted) in the hollow loader
• Supports splitted injection using multiple processes
• Supports direct and indirect system calls
• Hollower does not use the very suspicious call Nt/ZwUnmapViewOfSection
• Can build EXE / DLL hollow loaders
• Can block unsigned microsoft DLLs from being loaded to the hollowed process
• Supports anti-debug techniques with the ability to die or to execute useless calculations (‘troll’ mode)
• Obfuscated sleep using useless calculations
• Supports execution within VEH
• Supports command line Rc4 key to decrypt the payload

Injection Methods

1. Simple hollowing: just the usual stuff: VirtualAlloc -> WriteProcessMemory -> GetThreadContext -> SetThreadContext -> ResumeThread.
2. Direct syscalls hollowing: using the great NimlineWhispers2.
3. Indirect syscalls hollowing: using the great NimlineWhispers3.
4. Splitted hollowing: each step of method (1) is occurring in a separate process with inherited handles.
5. Splitted hollowing: each step of method (2) is occurring in a separate process with inherited handles.
6. Splitted hollowing: each step of method (3) is occurring in a separate process with inherited handles.

Example of splitted hollowing of cscript.exe with cmd.exe that spawns whoami.exe:

Installation

Built with Nim 1.6.12, should be run on Windows only.

nimble install winim ptr_math nimprotect supersnappy argparse

Usage

Usage:
   [options] exe_file injection_method

Arguments:
  exe_file         Exe file to load
  injection_method Injection method

        1 - Simple hollowing
        2 - Direct syscalls hollowing
        3 - Indirect syscalls hollowing
        4 - Splitted hollowing using multiple processes
        5 - Splitted hollowing using multiple processes and direct syscalls
        6 - Splitted hollowing using multiple processes and indirect syscalls

Options:
  -h, --help
  -s, --sponsor=SPONSOR      Sponsor path to hollow (default: self hollowing)
  -a, --args=ARGS            Command line arguments to append to the hollowed process
  -f, --format=FORMAT        PE hollower format Possible values: [exe, dll] (default: exe)
  -e, --export=EXPORT        DLL export name (relevant only for Dll format) (default: DllRegisterServer)
  -b, --block                Block unsigned Microsoft Dlls in the hollowed process
  -p, --split                Split and hide the payload blob in hollower (takes long to compile!)
  -t, --sleep=SLEEP          Number of seconds to sleep before hollowing (default: 0)
  -g, --anti-debug=ANTI_DEBUG
                             Action to perform upon debugger detection Possible values: [none, die, troll] (default: none)
  -k, --key=KEY              RC4 key to [en/de]crypt the payload (supplied as a command line argument to the hollower)
  -v, --veh                  Hollow will occur within VEH
  -d, --debug                Compile as debug instead of release (loader is verbose)