Tangled WinExec
This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique.
Projects
-
BlockingDLL : This toolset is for testing blocking DLL process. See README.md.
-
CommandLineSpoofing : This PoC performs Command Line Spoofing. This technique may not work for Windows 11.
-
DarkLoadLibrary : PoCs in this directory are for testing Dark Load Library which is released by @_batsec_. See README.md
-
GhostlyHollowing : This PoC performs Ghostly Hollowing.
-
PhantomDllHollower : This PoC performs Phantom DLL Hollowing. See README.md.
-
PPIDSpoofing : This PoC performs PPID Spoofing.
-
ProcessDoppelgaenging : This PoC performs Process Doppelgänging. Due to kernel protection improvement for Microsoft Defender, this technique does not work for recent Windows OS (since about 2021, maybe). So if you want to test this technique in newer environment, must be stop
Microsoft/Windows Defender Antivirus Service
. See the issue for hasherezade's repository. -
ProcessGhosting : This PoC performs Process Ghosting. Due to kernel protection, this technique does not work for newer Windows from 22H2.
-
ProcessHerpaderping : This PoC performs Process Herpaderping. Due to file lock issue, if you choose a fake image file smaller than you want to execute, file size shrinking will be failed and corrupt file signature for herpaderping process. To take full advantage of this technique, fake image file size should be larger than you want to execute. Due to kernel protection, this technique does not work for newer Windows from 22H2.
-
ProcessHollowing : This PoC performs Process Hollowing. Unlike the original, the PE image is parsed into a new memory area instead of using
ZwUnmapViewOfSection
/NtUnmapViewOfSection
. -
ProcMemScan : This is a diagnostic tool to investigate remote process. See README.md.
-
ProtectedProcess : This toolset is for testing Protected Process. See README.md.
-
ReflectiveDLLInjection : This toolset is for testing Reflective DLL Injection. See README.md.
-
TransactedHollowing : This PoC performs Transacted Hollowing.
-
WmiSpawn : This PoC tries to spawn process with WMI. The processes will be spawn as child processes of
WmiPrvSE.exe
. Supports local machine process execution and remote machine process execution. The usage can see README.md.
NOTE : Currently ProcessHollowing code does not works for Debug build. To test it, use Release build. See this issue.
Reference
Blocking DLL
Command Line Spoofing
Dark Load Library
Phantom DLL Hollowing
PPID Spoofing
Process Doppelgänging
Process Ghosting
Process Herpaderping
Process Hollowing
Ghostly Hollowing and Transacted Hollowing
Protected Process
-
The Evolution of Protected Processes – Part 1: Pass-the-Hash Mitigations in Windows 8.1
-
Injecting Code into Windows Protected Processes using COM - Part 1
-
Injecting Code into Windows Protected Processes using COM - Part 2
-
Relevance of Security Features Introduced in Modern Windows OS
-
Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10
-
Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint
Reflective DLL Injection
Acknowledgments
Thanks for your research:
-
Tal Liberman (@tal_liberman)
-
Eugene Kogan (@EuKogan)
-
hasherezade (@hasherezade)
-
Gabriel Landau (@GabrielLandau)
-
Forrest Orr (@_forrestorr)
-
Stephen Fewer (@stephenfewer)
-
batsec (@_batsec_)