This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique.
-
CommandLineSpoofing : This PoC performs Command Line Spoofing.
-
GhostlyHollowing : This PoC performs Ghostly Hollowing.
-
PPIDSpoofing : This PoC performs PPID Spoofing.
-
ProcessDoppelgaenging : This PoC performs Process Doppelgänging. Due to kernel protection improvement, this technique does not work for recent Windows OS (> Windows 10 Version 1809, as far as I tested). See the issue for hasherezade's repository.
-
ProcessGhosting : This PoC performs Process Ghosting.
-
ProcessHollowing : This PoC performs Process Hollowing. Unlike the original, the PE image is parsed into a new memory area instead of using
ZwUnmapViewOfSection/NtUnmapViewOfSection. -
TransactedHollowing : This PoC performs Transacted Hollowing.
-
WmiSpawn : This PoC tries to spawn process with WMI. The processes will be spawn as child processes of
WmiPrvSE.exe. Supports local machine process execution and remote machine process execution. The usage can see README.md.
NOTE : Currently ProcessHollowing code does not works for Debug build. To test it, use Release build. See this issue.
-
https://www.hackingarticles.in/parent-pid-spoofing-mitret1134/
-
https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
-
https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
-
https://blog.nviso.eu/2020/01/31/the-return-of-the-spoof-part-1-parent-process-id-spoofing/
Thanks for your research:
-
Tal Liberman (@tal_liberman)
-
Eugene Kogan (@EuKogan)
-
hasherezade (@hasherezade)
-
Gabriel Landau (@GabrielLandau)