Process Doppelganging

Forum for discussion about user-mode development.
Post Reply
User avatar
Global Moderator
Posts: 4782
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation

Process Doppelganging

Post by EP_X0FF » Wed Dec 13, 2017 2:31 pm

New way of code inject that can be achieved without having and/or droping any additional files to disk.
Original source ... anging.pdf


Spajed version

My test version ... daea9a177f

The code maybe bugged however it serves only proof-of-concept demonstration purpose.

They are not that much different and all based on presentation slides.

- It is relatively new;
- Can execute payload from memory (fileless);
- Zombified target process has legitimate look;
- It is Windows design feature, not a bug or vulnerability not in NTFS not in loader, nothing to fix here;
- Doesn't require admin privileges to execute.

- Semi manual create process required, cannot inject in already running processes;
- Target process memory modification required;
- Create remote thread required;
- TmTx object required;
- Exotic API usage required (Windows doesn't use NtCreateProcessEx but NtCreateUserProcess instead in CreateProcess API);
- Windows 10 TH2/RS1/RS2 null pointer dereference BSOD in NtCreateProcessEx;
- Practically useless anywhere except potential malware limited usage.

I didn't tested it with any of crapware AV's available on market and don't even want to download them, so cannot confirm or deny any of "undetectable" claims from these slides.
If someone want to test some AV's - feel free to do so.
Ring0 - the source of inspiration

Post Reply