Skip to content
A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.
C
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
TRunPE
.gitattributes
.gitignore
LICENSE
README.md
TRunPE.sln

README.md

TRunPE

A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.

https://winternl.com/trunpe

Proof-of-Concept Code

Future Improvements

  • Modifying an existing TLS section
  • Extending the IMAGE_SECTION_HEADER list if necessary
  • Placing the callback code in an already executable section
  • Relocation support

Visual Studio 2019

Tested with McAfee's bintext.exe on Windows 10

You can’t perform that action at this time.