Process Doppelganging

Forum for discussion about user-mode development.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Process Doppelganging

Post by EP_X0FF » Wed Dec 13, 2017 2:31 pm

New way of code inject that can be achieved without having and/or droping any additional files to disk.
Original source https://www.blackhat.com/docs/eu-17/mat ... anging.pdf

Implemenations:

Spajed version
https://github.com/Spajed/processrefund

My test version
https://gist.github.com/hfiref0x/a9911a ... daea9a177f

The code maybe bugged however it serves only proof-of-concept demonstration purpose.

They are not that much different and all based on presentation slides.

Method
advantages:
- It is relatively new;
- Can execute payload from memory (fileless);
- Zombified target process has legitimate look;
- It is Windows design feature, not a bug or vulnerability not in NTFS not in loader, nothing to fix here;
- Doesn't require admin privileges to execute.

disadvantages:
- Semi manual create process required, cannot inject in already running processes;
- Target process memory modification required;
- Create remote thread required;
- TmTx object required;
- Exotic API usage required (Windows doesn't use NtCreateProcessEx but NtCreateUserProcess instead in CreateProcess API);
- Windows 10 TH2/RS1/RS2 null pointer dereference BSOD in NtCreateProcessEx;
- Practically useless anywhere except potential malware limited usage.

I didn't tested it with any of crapware AV's available on market and don't even want to download them, so cannot confirm or deny any of "undetectable" claims from these slides.
If someone want to test some AV's - feel free to do so.
Ring0 - the source of inspiration

Itachi Sempai
Posts: 2
Joined: Mon Jan 22, 2018 7:19 pm

Re: Process Doppelganging

Post by Itachi Sempai » Sun May 27, 2018 11:41 am

could you upload exe file of that test version? i really want to test the attack but cant execute that code

waffles2.0
Posts: 28
Joined: Mon Aug 01, 2016 9:49 am

Re: Process Doppelganging

Post by waffles2.0 » Thu May 31, 2018 8:04 am

Just download from here https://github.com/Spajed/processrefund

then build and execute it as it says in the README.

User avatar
Vrtule
Posts: 454
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Process Doppelganging

Post by Vrtule » Mon Jul 02, 2018 7:47 pm

nothing to fix here
Well, it seems Microsoft sort of fixed the issue (or attempted to do so at least). The Windows Defender filter driver (wdfilter.sys) blocks creation of processes with file objects being in transaction. I experienced this behavior on WIndows 10 (older versions of Windows seem "unpatched").

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Process Doppelganging

Post by Brock » Tue Jul 03, 2018 10:47 pm

Interesting. Thanks for sharing Vrtule
Accept nothing less than STATUS_SUCCESS

User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Process Doppelganging

Post by EP_X0FF » Wed Jul 04, 2018 5:07 am

Vrtule wrote:
Mon Jul 02, 2018 7:47 pm
nothing to fix here
Well, it seems Microsoft sort of fixed the issue (or attempted to do so at least). The Windows Defender filter driver (wdfilter.sys) blocks creation of processes with file objects being in transaction. I experienced this behavior on WIndows 10 (older versions of Windows seem "unpatched").
Does it drop any message or entry in WD log? Recently WD got some behavior signature (I assume via registry callback from driver) for massively abused "fileless" UAC bypass registry key.
Ring0 - the source of inspiration

User avatar
Vrtule
Posts: 454
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Process Doppelganging

Post by Vrtule » Wed Jul 04, 2018 1:27 pm

EP_X0FF wrote:
Wed Jul 04, 2018 5:07 am
Vrtule wrote:
Mon Jul 02, 2018 7:47 pm
nothing to fix here
Well, it seems Microsoft sort of fixed the issue (or attempted to do so at least). The Windows Defender filter driver (wdfilter.sys) blocks creation of processes with file objects being in transaction. I experienced this behavior on WIndows 10 (older versions of Windows seem "unpatched").
Does it drop any message or entry in WD log? Recently WD got some behavior signature (I assume via registry callback from driver) for massively abused "fileless" UAC bypass registry key.
It reports the blocking only by a call to its MpLogPrintfW roiutine.

Code: Select all

MpLogPrintfW(
      (const char *)L"[Mini-filter] Blocked transacted process creation from %wZ, parent pid: %u",
      ImageFileName,
      ParentProcessId);
I am not sure whether this message reaches any logs, howerver, the logic behind MpLogPrintfW seems quite complicated at first glance (it definitely is not a simple wrapper around DbgPrintEx).

User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Process Doppelganging

Post by EP_X0FF » Thu Jul 05, 2018 6:05 am

That's interesting find, thanks for sharing.
Ring0 - the source of inspiration

Post Reply