Skip to content

hasherezade/process_doppelganging

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 4 tags
Code

Latest commit

@hasherezade
hasherezade Merge pull request #5 from DymOK93/feature_nonwritable_handle
49bcb8b Aug 30, 2022
Merge pull request #5 from DymOK93/feature_nonwritable_handle 
Creation a process from transacted reader handle
49bcb8b

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.appveyor.yml
Update .appveyor.yml
June 25, 2020 00:14
CMakeLists.txt
[REFACT] Moved functions to new files
June 7, 2021 01:05
README.md
Update README.md
June 7, 2021 00:42
main.cpp
Creation a process from transacted reader handle; removed unused para…
August 30, 2022 14:56
ntddk.h
[NOBIN] Indentation cleanup
August 29, 2018 01:01
ntdll_types.h
[INIT] Working version for 64bit
December 16, 2017 14:08
ntdll_undoc.cpp
[REFACT] Code cleanup, small refactoring.
December 16, 2017 23:42
ntdll_undoc.h
[REFACT] Code cleanup, small refactoring.
December 16, 2017 23:42
pe_hdrs_helper.cpp
[NOBIN] Indentation cleanup
August 29, 2018 01:01
pe_hdrs_helper.h
[INIT] Working version for 64bit
December 16, 2017 14:08
process_env.cpp
[FEATURE] Use calc as a default target
June 7, 2021 01:14
process_env.h
[REFACT] Moved functions to new files
June 7, 2021 01:05
util.cpp
[FEATURE] Use calc as a default target
June 7, 2021 01:14
util.h
[FEATURE] Use calc as a default target
June 7, 2021 01:14
Process Doppelgänging Characteristics:

README.md

Process Doppelgänging

Build status

This is my implementation of the technique presented by enSilo:
https://www.youtube.com/watch?v=Cch8dvp836w

Characteristics:

  • Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
  • Sections mapped with original access rights (no RWX)
  • Payload connected to PEB as the main module
  • Remote injection supported (but only into a newly created process)
  • Process is created from an unnamed module (GetProcessImageFileName returns empty string)
WARNING:
The 32bit version works on 32bit system only.

About

My implementation of enSilo's Process Doppelganging (PE injection technique)

hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/

Topics

malware pe-injector process-doppelganging

Resources

Readme
Activity

Stars

522 stars

Watchers

19 watching

Forks

124 forks
Report repository

Releases 4

0.4 Latest
Aug 18, 2021
+ 3 releases

Packages

No packages published

Contributors 2

Languages