Process Doppelgänging
This is my implementation of the technique presented by enSilo:
https://www.youtube.com/watch?v=Cch8dvp836w
Characteristics:
- Payload mapped as
MEM_IMAGE
(unnamed: not linked to any file) - Sections mapped with original access rights (no
RWX
) - Payload connected to PEB as the main module
- Remote injection supported (but only into a newly created process)
- Process is created from an unnamed module (
GetProcessImageFileName
returns empty string)
WARNING:
The 32bit version works on 32bit system only.