Skip to Content

CompTIA Security+ (Plus): What Is the Attack Called When Malware Replaces Code in a Legitimate Process Like svchost.exe?

By: Author Alex Lim

Posted on

Categories Exam

What is process hollowing in cybersecurity, and how does it help malware evade detection by hiding in legitimate processes? Learn why process hollowing is a critical attack technique for the CompTIA Security+ (Plus) SY0-701 exam.

Table of Contents

Question

Malware injects itself into a legitimate system process like svchost.exe, replacing its code while keeping its process ID (PID). What is this attack called?

A. Process hollowing
B. Rootkit installation
C. DLL hijacking
D. API hooking
E. Session hijacking

Answer

A. Process hollowing

Explanation

The malware hides inside a legitimate process, making detection harder.

The attack where malware injects itself into a legitimate system process (such as svchost.exe), replacing its code while keeping the original process ID (PID), is called process hollowing.

Process hollowing is a stealthy code injection technique where an attacker creates a legitimate process in a suspended state, removes (or “hollows out”) its original code, and replaces it with malicious code before resuming execution.

The process continues to run under the name and PID of the legitimate application (e.g., svchost.exe), making it appear normal to system monitoring tools and security software.

This technique allows malware to evade detection, as the malicious code operates entirely within the context of a trusted process, bypassing many traditional defenses and forensic tools.

Process hollowing is commonly used in advanced persistent threats (APTs) and is especially effective for maintaining persistence, escalating privileges, and blending malicious activity with legitimate system operations.

Detection is challenging because the process appears legitimate, and the injected code runs in memory rather than from disk, leaving minimal forensic evidence.

Process hollowing enables malware to hide inside a legitimate process by replacing its code while retaining its original process ID, making detection by security tools significantly more difficult.

CompTIA Security+ (Plus) SY0-701 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA Security+ (Plus) SY0-701 exam and earn CompTIA Security+ (Plus) SY0-701 certification.