Skip to content

Spajed/processrefund

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
MalExe
MalExe
 
 
processrefund
processrefund
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
example.png
example.png
 
 
memory.png
memory.png
 
 
modules.png
modules.png
 
 
processrefund.VC.db
processrefund.VC.db
 
 
processrefund.sln
processrefund.sln
 
 

Repository files navigation

Process Refund

An attempt to implement Process Doppelgänging

Getting Started

Just clone the repo and open the .sln with Visual Studio 2015.

Prerequisites

Currently this works only in x64. To use you need a dummy exe like svchost.exe and your malicous exe. read below - you need to be able to write over the file.

WARNING DONT USE ON WIN10 YOU WILL GET A BSOD.

exmaple:

processrefund.exe svchost.exe MalExe.exe

alt text alt text alt text

Problems with Process Doppelgänging

  • You can not replace any file. If you try to replace C:\windows\system32\svchost.exe you will get "Access Denied".
  • This techinque will not bypass all AntiViruses because of the use of NtCreateThreadEx, which is equal to CreateRemoteThread. An AntiVirus may monitor the creation of remote thread (via PsSetCreateThreadNotifyRoutine) thus detecting our Doppelgänging. Also an AntiVirus may compare the memory with the image of the created process and will be aware of our malicous process. This techinque may be good to avoid file signatures and loading executables without wiritng them to disk("filesless") but it will not avoid everything.

Acknowledgments

About

An attempt at Process Doppelgänging

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

183 stars

Watchers

21 watching

Forks

95 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages