EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

Podcast/EP 03
The Malicious Process Lifecycle: From Execution to Evasion cover art
REMAEP 03
12 May 2026

The Malicious Process Lifecycle: From Execution to Evasion

Explore how malware executes, persists, injects into processes, and evades detection inside modern operating systems. This episode breaks down the complete lifecycle of malicious processes using practical malware-analysis concepts and real-world attack techniques.

0:00 / 0:00
EpochZero Tech Talks — The Malicious Process Lifecycle: From Execution to Evasion

Transcript

Conversation between Alex and Maya

Alex — leftMaya — right
Alex
Imagine getting a frantic ping from the help desk, like a user just double-clicked a suspicious file named invoice.exe that they downloaded from some random email.
Maya
Yeah, standard Tuesday.
Alex
Right.
Maya
And you remote into their machine, maybe 30 seconds later, you open their downloads folder to grab the file for analysis, and it is completely gone.
Alex
Just vanished.
Maya
Exactly.
Alex
You open task manager, everything looks perfectly normal.
Maya
The antivirus is dead silent.
Alex
But, you know, without a doubt, that machine is completely compromised.
Maya
Because the trick is already done.
Alex
I mean, the illusion is complete at that point.
Maya
And if you rely solely on what the operating system is telling you on the surface, well, you're going to lose that machine entirely.
Alex
So pull up a chair, grab a seat at the desk.
Maya
Welcome to the lab.
Alex
Today, we're doing something a little different.
Maya
We are treating you, the listener, like the newest junior analyst on our threat intel team.
Alex
What?
Maya
Welcome to the team.
Alex
Yeah.
Maya
We've got this massive stack of intel sitting right here between us.
Alex
We've got the Rima eBook Foundations, some core RE101 fundamentals, and a really fresh batch of NJRS student reports.
Maya
Some really good stuff in those reports, actually.
Alex
Oh, absolutely.
Maya
And our mission for this deep dive is to trace the complete start-to-finish lifecycle of a malicious process.
Alex
We really want to show you how to look at a compromised system and see those invisible footprints left behind by malware.
Maya
Because, and this is crucial, it isn't magic.
Alex
Right.
Maya
It feels like magic, but it's not.
Alex
Exactly.
Maya
It's just a repeatable, logical series of technical steps.
Alex
Once you understand how a binary, say, maps its imports, or how it hollows out a legitimate process and how it melts its original tracks, nothing can hide from you.
Maya
Let's start at the very beginning, then.
Alex
Before a malicious process can even, you know, dream of executing in memory and wreaking havoc, it's just a dormant file sitting on the hard drive.
Maya
Just dead bytes on a disk.
Alex
Right.
Maya
And I'm looking at the Rima eBook notes here, and they use this great analogy of comparing a Windows portable executable, a PE file, to a physical printed book.
Alex
I love that analogy.
Maya
It holds up incredibly well in the field, actually.
Alex
Practically every executable file loaded by Windows, whether it's an XC or a DL or a SysDriver, it all uses that PE format.
Maya
Okay.
Alex
So when you pick up a physical book, the very first thing you see is the cover.
Maya
In a PE file, that cover is the DOS header.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
Right.
Alex
Right.
Maya
MZ marks the cowskies initials, right?
Alex
Yeah, the original architect of the format.
Maya
Yeah, you've done your homework.
Alex
Those two bites simply tell the operating system, yes, I am a valid executable.
Maya
Makes sense.
Alex
And once you get past the cover, you open the book and you find the table of contents.
Maya
Which would be the PE header?
Alex
Correct.
Maya
The PE header is basically the metadata.
Alex
It acts as this instruction manual for the Windows OS Loader detailing exactly how to map this file from the hard drive into the computer's actual memory to find space requirements and it acts as an index for the actual content of the file and that content is divided into what we call sections and if the PE header is the table of contents the sections are the actual chapters of the book exactly this is where the meat of the file lives so you've got the dot text section which holds the actual machine code like the raw instructions the CPU is going to execute right and then you have the dot data or art art data sections where the program stores its hard-coded strings like IP addresses or registry keys things like that yeah and as an analyst checking the condition of those chapters is really your first clue if you open a book and the text is entirely in a scrambled completely unreadable language well you know something is wrong actually that perfectly lines up with these jigsaw ransomware report sitting right here the analysts notice that the data is stored in a completely unreadable language that the dot text section of the ransomware had incredibly high entropy okay like the data was completely randomized and compressed I'm assuming that means the code is packed or obfuscated right to hide its true intent from us exactly the structure alone tells a story before a single instruction is ever executed yeah I mean a packed dot text section just means the malware is actively trying to prevent you from reading its code statically but wait I want to challenge something here let's say the dot text section isn't packed the malware's custom code is sitting right in the middle of the system and the malware is sitting right in the middle of the system and the malware is sitting right in the middle of the system and right there in plain text how does the malware actually know how to talk to the windows operating system because the attacker didn't write an entire networking stack or a file system from scratch inside their dot text section no they absolutely did not that'd be insane malware is inherently parasitic right it has to borrow functionality from the host environment he needs the OS exactly it has to ask Windows for help and it does that through a mechanism called the import address table or the IAT okay so an index of external help yeah thank you for that thank you for that thank you for that think of it like looking inside a contractor's toolbox before they start a job on your house oh I like that the IAT is just a list of functions that the executable requests from external Windows libraries like kernel 32 DLL or user 32 DLL right if a piece of software wants to create a file it imports the create file function it wants to monitor the keyboard it imports set windows hook X oh I see where this is going so if I am analyzing a dormant file and I check its IAT and I see it requesting pipe wrenches and a soldering iron I know it's there to do plumbing and if I see it importing create process and write process memory I have a massive clue that this thing is planning to inject code into other programs that is exactly the mindset you need to have understand the IAT is your very first step in reverse engineering because it reveals the malware's capabilities before it ever runs it shows you the tools right but you know malware authors know we look at this so going back to your point about packed executables when malware is heavily packed the iat is often intentionally destroyed or hidden wow you might look at the file and see zero imported functions which is a huge red flag on its own i mean a windows program that doesn't ask windows for a single piece of help that's physically impossible yeah it means the malware is hiding its toolbox and plans to resolve those functions dynamically in memory like only after it unpacks itself now you're thinking like an analyst ah so we've analyzed the dormant file we know its structure let's move to the execution phase let's do it what happens the exact moment that user is tricked into double-clicking our invoice.exe in their downloads folder well this goes back to my scenario at the start of the deep dive the user clicks it but the file just disappears right i have to push back on this mechanically though like if i open a regular word document and then try to delete that file from my hard drive while it's open windows throws a massive error saying file is open in another program it blocks the deletion the standard file lock exactly so how does the malware delete itself while it's actively running it uses an anti-forensic technique we call the melt process it bypasses that windows file lock restriction through a really clever sequence of events okay let me do it so when invoice.exe runs from the downloads folder the very first thing it does is copy its own executable file to a hidden or less obvious system directory usually the app data folder or some type of file like the one you're using right now and then it's going to use the temporary directory.
Maya
Okay, so now we have two identical copies of the malware sitting on the hard drive.
Alex
Exactly.
Maya
Step two, the malware executes that new copy it just placed in the app data folder.
Alex
So the hidden copy is now running in memory.
Maya
Oh, I see.
Alex
And the original copy in the downloads folder.
Maya
That original process is instructed to terminate itself.
Alex
It just closes.
Maya
And the moment it closes, the file lock is released.
Alex
Wow.
Maya
Now, the newly launched hidden process reaches back to the downloads folder.
Alex
It will either drop a temporary batch script onto the hard drive.
Maya
And actually, in some of these NJRAD reports, you'll see a script literally named melt.bat.
Alex
They don't even try to hide the name.
Maya
Sometimes they don't.
Alex
Or instead of a script, it will just invoke the Windows command line quietly using cmd.exe.cda.
Maya
And the sole purpose of that command is to silently delete the original invoice.exe.
Alex
That is absolutely brilliant.
Maya
I mean, think about it from the attacker's perspective.
Alex
By the time the user realizes something weird just happened and calls IT, the original file is already gone.
Maya
A long gone.
Alex
The incident responder comes looking for the payload, and they're staring at an empty folder.
Maya
It just leaves an invisible footprint.
Alex
Exactly.
Maya
It forces you, the analyst, to pivot away from the hard drive entirely and hunt for the threat entirely in volatile memory.
Alex
Right.
Maya
Which brings us to the hide and seek phase of the lifecycle.
Alex
Okay.
Maya
So the malware deleted its original body, but the copy is still running from the app data folder.
Alex
So the malware is still running from the app data folder.
Maya
So the malware is still running from the app data folder to do its dirty work.
Alex
Yeah.
Maya
But if I just open up the basic Windows task manager, why don't I see a highly suspicious process named, I don't know, evil-njrat.exe staring back at me?
Alex
Well, because malware authors evolved beyond simple process creation years ago.
Maya
Fair enough.
Alex
In Windows, the API function to start a new program is create process.
Maya
It's just the operating system launching an application.
Alex
Yeah.
Maya
A threat actor could use this to run their malware, but it is incredibly difficult to do so.
Alex
So the API function to start a new program is create process.
Maya
It's just the operating system launching an application.
Alex
Yeah.
Maya
It sticks out to any user or any basic security tool.
Alex
Right.
Maya
They need a disguise.
Alex
So they use process hollowing.
Maya
Ah, yeah.
Alex
Instead of running as an independent suspicious process, the malware hides inside the empty shell of a completely legitimate, trusted Windows process.
Maya
I love the analogy we use in the lab for this.
Alex
It's like a digital carjacking.
Maya
It really is.
Alex
Or like a hermit crab taking over a discarded shell.
Maya
To the operating system and to you looking at task manager, it just looks like a trusted Windows process.
Alex
It's like Svcoast.exe driving normally down the street.
Maya
Yep.
Alex
But the malicious payload has secretly thrown the original driver out and is now sitting behind the wheel.
Maya
Let's actually break down the exact API sequence of how they pull off that carjacking.
Alex
Because when you are reading logs tomorrow, you really need to recognize this pattern.
Maya
Okay.
Alex
Step one.
Maya
Step one.
Alex
The malware calls create process to start a legitimate tool like Svcoast.exe, but it passes a specific flag called create suspended.
Maya
So they turn the car on and they're like, oh, I'm going to do this.
Alex
And they leave it in park.
Maya
The legitimate code is loaded into memory, but the CPU hasn't executed a single line of it yet.
Alex
Perfect analogy.
Maya
Step two.
Alex
The malware calls a system function called end to unmet view off section.
Maya
Okay.
Alex
This is the actual carjacking.
Maya
It forcefully stoops out the legitimate code from that suspended process's memory space.
Alex
It literally hollows it out, leaving a void inside the trusted process boundary.
Maya
So the original driver is thrown out onto the street.
Alex
We now have a trusted Windows process name, but it's completely empty inside.
Maya
Exactly.
Alex
Step three.
Maya
The malware calls virtual AllocX to allocate fresh memory space inside that empty shell.
Alex
And then it calls write process memory.
Maya
To write the bad stuff.
Alex
Right.
Maya
This takes the malicious payload and stuffs it right into the hollowed out space.
Alex
The hijacker gets behind the wheel.
Maya
But the process is still suspended.
Alex
Right.
Maya
It's still in park.
Alex
Exactly.
Maya
Yeah.
Alex
So step four.
Maya
The malware calls set thread context to point the execution's starting line to its newly injected code.
Alex
And finally, the malware calls set thread context to point the execution's starting line to its newly injected code.
Maya
And finally, the malware calls set thread context to point the execution's starting line to its newly injected code.
Alex
It calls ResmThread.
Maya
It takes the car out of park and hits the gas.
Alex
You got it.
Maya
And to the operating system, it looks completely normal.
Alex
I mean, the file path points to the real C Windows System 32 as vcoast.exe.
Maya
But inside, it's pure malware.
Alex
Yeah.
Maya
Which actually brings up a huge problem for me as a defender.
Alex
If Task Manager says everything is fine, how do I actually catch this?
Maya
Is the OS just lying to me?
Alex
Well, the operating system is showing you what the malware wants it to see.
Maya
Task Manager reads from a structure called the Process Environment Block, or the PB.
Alex
Okay.
Maya
The malware manipulated the PB to maintain the disguise.
Alex
To catch the hermit crab, you have to look deeper into the Windows kernel space, specifically at the virtual address descriptor, or the VAD tree.
Maya
Okay, let's pause.
Alex
Explain the VAD tree for me.
Maya
Sure.
Alex
The VAD tree is the operating system's private internal map of who is allowed to use which blocks of memory.
Maya
Task Manager never looks at it.
Alex
Ah, okay.
Maya
Before the hollowing took place, the memory protections for svcoast.exe were set for normal, legitimate, executable code.
Alex
Right.
Maya
But to shove its payload into that space, the malware had to change those internal memory protections to read, write, execute.
Alex
Ah, I see.
Maya
So if you compare them, like if the PB says, I am a normal, safe file, but the VAD tree shows this massive block of memory suddenly flagged as read, write, execute.
Alex
Yeah.
Maya
You've found the discrepancy.
Alex
You've caught the lie.
Maya
Exactly.
Alex
You bypassed the illusion entirely.
Maya
So now our malware has melted its original file, and it is happily executing inside a hollowed-out process.
Alex
It's doing its thing.
Maya
But memory is volatile.
Alex
What happens when the user shuts down their laptop at 5 p.m.?
Maya
Right.
Alex
The RAM gets wiped clean.
Maya
The hermit crab dies.
Alex
Exactly.
Maya
So if the attacker wants to maintain their foothold tomorrow morning, they have to establish persistence.
Alex
They need some kind of anchor.
Maya
They do.
Alex
And I know the first place everyone looks is the Windows registry, specifically the basic run keys, like current version run.
Maya
Right.
Alex
If a program puts its path there, Windows just automatically starts it upon login.
Maya
Sure.
Alex
But that is malware 101.
Maya
Every basic antivirus scans the run keys.
Alex
As a high-end analyst, you have to hunt in the deeper persistence hotspots.
Maya
Okay.
Alex
Like what?
Maya
Advanced threat actors prefer scheduled tasks.
Alex
They use the built-in Windows utilities tasks.exe to quietly set a trigger that relaunches the malicious code every time the system boots or maybe, you know, every day at noon.
Maya
Oh, and what makes that so frustrating is that legitimate IT administrators use scheduled tasks constantly, like for software updates and system maintenance.
Alex
Oh, yeah.
Maya
All the time.
Alex
So the malware just blends right into the background noise of normal administration.
Maya
It's perfect camouflage.
Alex
But if a threat actor wants highly privileged, deeply embedded persistence, they will target service creation.
Maya
Services.
Alex
Yeah.
Maya
Windows services are background helper applications.
Alex
They handle core operating system features like network translation, printing, event logging.
Maya
Stuff the user never knows.
Alex
Stuff the user never sees.
Maya
Right.
Alex
They run completely invisible to the user.
Maya
But why go through the trouble of installing as a service, though?
Alex
Like what's the actual technical advantage over a scheduled task?
Maya
Privileges.
Alex
Pure and simple.
Maya
Windows needs its critical services to start managing hardware and networks long before a human user ever types in their password.
Alex
Oh, right.
Maya
Because of that, services often run under the system account.
Alex
System is the absolute highest privilege level on a Windows machine.
Maya
It has more access than a standard administrator.
Alex
Oh, wow.
Maya
If malware installs itself as a service, it practically owns the box.
Alex
That's game over.
Maya
Pretty much.
Alex
And to make it even stealthier, they rarely create a brand new standalone service.
Maya
Why not?
Alex
Because a new, weirdly named service sticks out in the logs.
Maya
Instead, they use a specific type of service called a Win32 share process.
Alex
Walk me through what that means.
Maya
So to save memory, Windows groups multiple related services together into a single shared process.
Alex
So to save memory, Windows groups multiple related services together into a single shared process.
Maya
So to save memory, Windows groups multiple related services together into a single shared process.
Alex
So to save memory, Windows groups multiple related services together into a single shared process.
Maya
So to save memory, Windows groups multiple related services together into a single shared process.
Alex
So to save memory, Windows groups multiple related services together into a single shared process.
Maya
This is actually why if you look at Task Manager, you see dozens of svcoast.exe processes running simultaneously.
Alex
Each of those is hosting a group of shared services.
Maya
Each of those is hosting a group of shared services.
Alex
Right, I've always wondered why there were so many of those.
Maya
Right.
Alex
I've always wondered why there were so many of those.
Maya
Right, I've always wondered why there were so many of those.
Alex
Exactly.
Maya
So what the malware does is modify the registry to add its malicious DILL into one of those existing legitimate service groups.
Alex
It literally piggybacks on a trusted Windows infrastructure.
Maya
It literally piggybacks on a trusted Windows infrastructure.
Alex
Man.
Maya
So to me, the analysts, I just see another normal svcoast.exe running.
Alex
But hidden deep in its registry parameters, the service path is pointing straight to the malicious payload.
Maya
You wouldn't see it unless you knew exactly where to look.
Alex
Okay, let's zoom out a bit.
Maya
We've mapped the entire lifecycle.
Alex
We have.
Maya
We started with the dormant PE book and its IAT toolbox.
Alex
We saw the melt process erase the original file.
Maya
We watched it carjack a legitimate process through hollowing.
Alex
And we found its persistence anchors in scheduled tasks and background services.
Maya
A full lifecycle.
Alex
Right.
Maya
We know the theory.
Alex
But if I'm sitting in the lab tomorrow, how do I actually prove this happened on my victim's machine?
Maya
Like, how do I connect all this?
Alex
You have to combine static analysis with dynamic analysis.
Maya
One without the other just gives you an incomplete picture.
Alex
Give me a practical example of how we map that out.
Maya
Okay, let's say you're performing static analysis on a sample you managed to recover.
Alex
Okay.
Maya
You are dumping the strings from the dot data section, and you find a hard-coded command.
Alex
cmd.exe slash ctasks slash create slash tn windows update.
Maya
Okay, that's a massive clue.
Alex
It looks like it wants to create a fake scheduled task named windows update.
Maya
Exactly.
Alex
But it's just text.
Maya
I mean, finding that string doesn't guarantee the malware actually succeeded in running it on the live machine.
Alex
It just shows intent.
Maya
Precisely.
Alex
So you take that static clue.
Maya
Okay.
Alex
And you move to dynamic validation.
Maya
Right.
Alex
You boot up your isolated lab environment.
Maya
You start a monitoring tool like Process Monitor or ProcMon, which logs every single registry edit, file creation, and API call on the system in real time.
Alex
Okay.
Maya
Then you execute the malware.
Alex
You let it off the leash.
Maya
You let it run wild.
Alex
And as you scroll through the massive wall of ProcMon logs, you filter for process creation.
Maya
And what are you looking for?
Alex
Suddenly, you see the malware spawn a new cmd.exe child process.
Maya
You check the command line arguments logged for that child process.
Alex
And there it is, stask, slash, create, slash, tn, windows update.
Maya
Boom.
Alex
You just connected the dots.
Maya
Exactly.
Alex
You map the static intent, the strings sitting dormant in the file, to the dynamic behavioral footprint left on the live system.
Maya
You caught them red-handed.
Alex
You now have a proven, irrefutable artifact trail of exactly how this malware operates and persists.
Maya
You've basically stripped away the magic.
Alex
You have reverse engineered the trick.
Maya
And, you know, once you do that, writing the detection, rules to catch it on 10,000 other machines across your network becomes trivial.
Alex
So to summarize our mentor session today for you listening, you now know how to read the PE format like a book and check the IAT toolbox to predict capabilities.
Maya
Yep.
Alex
You know, to anticipate the melt process, deleting the original evidence.
Maya
You know how to track the hermit crabs hiding inside hollowed out processes by checking memory permissions.
Alex
The VAD tree.
Maya
Right.
Alex
And you know how to hunt in the deep persistence hotspots.
Maya
Looking for malicious.
Alex
Malicious services and scheduled tasks.
Maya
And if we pull all of this together, it really forces us to confront a rather profound reality about the environments we defend.
Alex
What do you mean?
Maya
Well, we just walked through how advanced malware can melt its original binary, completely bypass the hard drive by living in the registry and hollow out trusted processes in volatile memory.
Alex
It effectively becomes fileless.
Maya
It does.
Alex
Which raises a really critical question for you to take back to your desk.
Maya
If the malware's entire strategy is to subvert the operating system's reporting mechanisms if it lies to the process environment block and piggybacks on legitimate service hosts, how much trust can we truly place in the operating system's built-in tools?
Alex
Wow.
Maya
When task manager says your system is healthy, can you actually trust it?
Alex
It forces us to question the very fabric of the system.
Maya
You have to build tools and instincts that look beneath the surface illusions.
Alex
Because at the end of the day, when you step up to an incident, the system is going to try to show you a magic.
Maya
It really is.
Alex
It's going to show you clean processes, empty folders, and normal-looking services.
Maya
Your job, taking these concepts back to your own lab, is to ignore the misdirection.
Alex
Don't look at the empty hand.
Maya
Exactly.
Alex
Look at the mechanics.
Maya
Because once you see the code, the magic is gone and you can really get to work.

Show Notes

Key topics covered: - Malware Execution Flow: Understanding how malicious binaries begin execution inside a target system. - Process Injection Techniques: DLL injection, hollowing, and stealth execution strategies. - Persistence & Survival: Registry abuse, startup persistence, scheduled tasks, and hidden execution. - Evasion Tactics: Anti-debugging, anti-VM detection, and runtime obfuscation methods. - Incident Response Perspective: Tracking malicious process behaviour during forensic investigations.
Previous episode
EP 02 · The Art of Deception: Unmasking Anti-Analysis & Evasion Techniques
Next episode
EP 04 · Spotting Forensic Gold in Malware Strings
More Episodes
The Binary Physics of Memory Corruption
EP 01REMA

The Binary Physics of Memory Corruption

The Art of Deception: Unmasking Anti-Analysis & Evasion Techniques
EP 02REMA

The Art of Deception: Unmasking Anti-Analysis & Evasion Techniques

Spotting Forensic Gold in Malware Strings
EP 04REMA

Spotting Forensic Gold in Malware Strings

Malware Blueprints in Portable Executable Headers
EP 05REMA

Malware Blueprints in Portable Executable Headers

The Cloud-Malware Paradox: Bridging Forensics and Defense
EP 06Cloud Security

The Cloud-Malware Paradox: Bridging Forensics and Defense

The Hypervisor Is Your True Security Perimeter
EP 07Cloud Security

The Hypervisor Is Your True Security Perimeter

View all episodes →