Skip to content
An attempt at Process Doppelgänging
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
MalExe Adding the repo Dec 8, 2017
processrefund removed debug print Dec 15, 2017
.gitignore Fixed image name of process Dec 9, 2017
LICENSE.md Initial commit Dec 8, 2017
README.md Padding Dec 21, 2017
example.png
memory.png more pics Dec 9, 2017
modules.png more pics Dec 9, 2017
processrefund.VC.db Padding Dec 21, 2017
processrefund.sln Adding the repo Dec 8, 2017

README.md

Process Refund

An attempt to implement Process Doppelgänging

Getting Started

Just clone the repo and open the .sln with Visual Studio 2015.

Prerequisites

Currently this works only in x64. To use you need a dummy exe like svchost.exe and your malicous exe. read below - you need to be able to write over the file.

WARNING DONT USE ON WIN10 YOU WILL GET A BSOD.

exmaple:

processrefund.exe svchost.exe MalExe.exe

alt text alt text alt text

Problems with Process Doppelgänging

  • You can not replace any file. If you try to replace C:\windows\system32\svchost.exe you will get "Access Denied".
  • This techinque will not bypass all AntiViruses because of the use of NtCreateThreadEx, which is equal to CreateRemoteThread. An AntiVirus may monitor the creation of remote thread (via PsSetCreateThreadNotifyRoutine) thus detecting our Doppelgänging. Also an AntiVirus may compare the memory with the image of the created process and will be aware of our malicous process. This techinque may be good to avoid file signatures and loading executables without wiritng them to disk("filesless") but it will not avoid everything.

Acknowledgments

You can’t perform that action at this time.