I was brainstorming methods of detecting process hollowing and other forms of code injection, and this one seemed pretty robust.
Would it be possible for a "process hollowing scanner" to enumerate all the executable pages in a process' memory, enumerate all the executable sections of the process' associated image file, and see if there were any pages in the memory that didn't have any corresponding pages in the image file, for example by fuzzy hashing the image file, hashing each memory page, and comparing the two sets?
This would seem to detect process hollowing very well -- any code injected into a process would not be present in the image file, and unless the attacker could find some collision attack against the hashing algorithm they wouldn't be able to fool the detector (and anyways multiple algorithms could be used). And because the detector relies on looking for anomalous extra segments in the process' memory instead of directly hashing the memory and comparing it to the file, it would work even if the entire image file isn't mapped into memory.
So is this a valid method of detecting process hollowing? I don't believe I've seen this method used anywhere to detect code injection (the closest I've seen is when rootkit scanners compare the hash of a process' entire memory section against the hash of the entire image file, which only works if the file is mapled entirely i memory).
Is this a feasible method to detect code injection/process hollowing?
