This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique.
-
CommandLineSpoofing : This PoC performs Command Line Spoofing.
-
GhostlyHollowing : This PoC performs Ghostly Hollowing.
-
PPIDSpoofing : This PoC performs PPID Spoofing.
-
ProcessDoppelgaenging : This PoC performs Process Doppelgänging. Due to kernel protection improvement, this technique does not work for recent Windows OS (> Windows 10 Version 1809, as far as I tested). See the issue for hasherezade's repository.
-
ProcessGhosting : This PoC performs Process Ghosting.
-
ProcessHollowing : This PoC performs Process Hollowing. Unlike the original, the PE image is parsed into a new memory area instead of using
ZwUnmapViewOfSection
/NtUnmapViewOfSection
. -
TransactedHollowing : This PoC performs Transacted Hollowing.
-
WmiSpawn : This PoC tries to spawn process with WMI. The processes will be spawn as child processes of
WmiPrvSE.exe
. Supports local machine process execution and remote machine process execution. The usage can see README.md.
NOTE : Currently ProcessHollowing code does not works for Debug build. To test it, use Release build. See this issue.
-
https://www.hackingarticles.in/parent-pid-spoofing-mitret1134/
-
https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
-
https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
-
https://blog.nviso.eu/2020/01/31/the-return-of-the-spoof-part-1-parent-process-id-spoofing/
Thanks for your research:
-
Tal Liberman (@tal_liberman)
-
Eugene Kogan (@EuKogan)
-
hasherezade (@hasherezade)
-
Gabriel Landau (@GabrielLandau)