68
GitHub - hasherezade/process_doppelganging: My implementation of enSilo'...
source link: https://github.com/hasherezade/process_doppelganging
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Process Doppelgänging
This is my implementation of the technique presented by enSilo:
https://www.youtube.com/watch?v=Cch8dvp836w
Characteristics:
- Payload mapped as
MEM_IMAGE
(unnamed: not linked to any file) - Sections mapped with original access rights (no
RWX
) - Payload connected to PEB as the main module
- Remote injection supported (but only into a newly created process)
- Process is created from an unnamed module (
GetProcessImageFileName
returns empty string)
WARNING:
The 32bit version works on 32bit system only.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK