[DMEW]

Is there any special reason why malware sometimes opts for process hollowing vs injection? They seem to achieve the same result, yet dll injection with createRemoteThread is much easier to implement and maintains the original process' code which may help hide it more. Whats the benefit?

[EP_X0FF]

Have no idea what is the "hollowing" you refering. Idiotic term from "security experts"?

[waffles2.0]

I assume he is referring to this, maybe?

https://www.trustwave.com/Resources/Spi ... Processes/

[DMEW]

Yes, the article describes the technique Im referring to. Maybe there is no benefit...just another technique

[EP_X0FF]

Oh you mean zombie process. The only benefit is AV/FW bypass. This applies to the use of any non-CreateRemoteThread methods.

[DMEW]

ah ok. thanks guys.