WWHF @ Mile High 2025

Malware used in ransomware campaigns and targeted attacks makes a concerted effort to conceal its injected code from AVs, EDRs, and manual inspection. This deception includes removing obvious signs of malicious code like regions that are allocated readable, writable, and executable or DLLs loaded from unusual directories. Instead, modern forms of code injection, such as process hollowing, process ghosting, module stomping, and their many variants are used to bypass scanners that rely on outdated detections. In this talk, attendees will be taken through the methods that modern malware uses to inject code in a stealthy manner along with how such malware can be detected using volatile memory analysis. This analysis will be performed using Volatility 3, the latest version of the most widely used open-source memory forensics framework. Attendees will leave understanding how to detect modern code injection and with slides documenting how to integrate such detection workflows in real-world, enterprise settings.