Skip to content

A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.

License

Notifications You must be signed in to change notification settings

jackullrich/TRunPE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TRunPE

A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.

https://winternl.com/trunpe

Proof-of-Concept Code

Future Improvements

  • Modifying an existing TLS section
  • Extending the IMAGE_SECTION_HEADER list if necessary
  • Placing the callback code in an already executable section
  • Relocation support

Visual Studio 2019

Tested with McAfee's bintext.exe on Windows 10

About

A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Languages