• Stars
    star
    313
  • Rank 133,714 (Top 3 %)
  • Language
    C++
  • Created almost 3 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Yet another variant of Process Hollowing

Process Overwriting

Build status

Process Overwriting is a PE injection technique, closely related to Process Hollowing and Module Overloading.

Process Hollowing (aka RunPE) is an old and popular PE injection technique. It comes in has variety of flavors, but there are some steps in common:

  1. Start by creating a process in a suspended state
  2. Write our own PE module in its memory
  3. Redirect to the new module
  4. Resume the thread

Process Hollowing does not require manual loading of payload's imports. Thanks to the step 3 Windows loader treat our PE implant as the main module of the process, and will load imports automatically when its execution resumes.

To make our implant recognized by Windows loader, its Module Base must be set in the PEB. It is usually done by one of the two ways:

  • in the most classic variant, the original PE is unmapped from memory, and the new PE is mapped on its place, at the same address.
  • in another, yet common variant, the old module is left as is, and another PE is mapped in a new memory region. Then the new module's base address is manually written into the PEB (this variant was demonstrated here)

As a result of those classic implementations we get a payload running as main module, yet it is mapped as MEM_PRIVATE (not as MEM_IMAGE like typically loaded PEs). To obtain payload mapped as MEM_IMAGE we can use some closely related techniques, such as Transacted Hollowing or its variant "Ghostly Hollowing".

Process Overwriting is yet another take on solving this problem.

In contrast to the classic Process Hollowing, we are not unmapping the original PE, but writing over it. No new memory is allocated: we are using the memory that was originally allocated for the main module of the process.

Pros:

  • the implanted PE looks like if it was loaded by Windows loader:
    • mapped as MEM_IMAGE
    • divided into sections with specific access rights
    • the image is named
  • convenience of loading:
    • no need to manually relocate the implant prior to injection: Windows loader will take care of this (in classic Process Hollowing we have to relocate the module)
    • no need to fill imports (like in every variant of Process Hollowing)
    • no need to allocate new memory in the process

Cons:

  • It doesn't work if the target has GFG (Control Flow Guard) enabled (yet it is possible to disable it on process creation)
  • The target's ImageSize must not be smaller than payload's ImageSize (remember we are using only the memory that was already allocated!) - this limitation does not occur in other flavors of Process Hollowing
  • Can be detected by comparing of the module in memory with corresponding file (PE-sieve detects it) - just like every variant of Process Hollowing

Demo:

The demo payload (demo.bin) injected into Windows Calc (default target):

In memory (via Process Hacker):

Clone:

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/process_overwriting.git

More Repositories

1

pe-bear

Portable Executable reversing tool with a friendly GUI
C++
1,976
star
2

pe_to_shellcode

Converts PE into a shellcode
C++
1,911
star
3

malware_training_vol1

Materials for Windows Malware Analysis training (volume 1)
Assembly
1,806
star
4

hollows_hunter

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
C
1,659
star
5

libpeconv

A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl
C++
917
star
6

tiny_tracer

A Pin Tool for tracing API calls etc
C++
880
star
7

demos

Demos of various injection techniques found in malware
C
771
star
8

pe-bear-releases

PE-bear (builds only)
762
star
9

dll_to_exe

Converts a DLL into EXE
C++
726
star
10

exe_to_dll

Converts a EXE into DLL
C++
657
star
11

bearparser

Portable Executable parsing library (from PE-bear)
C++
608
star
12

process_ghosting

Process Ghosting - a PE injection technique, similar to Process DoppelgΓ€nging, but using a delete-pending file instead of a transacted file
C
551
star
13

mal_unpack

Dynamic unpacker based on PE-sieve
C
543
star
14

process_doppelganging

My implementation of enSilo's Process Doppelganging (PE injection technique)
C
489
star
15

transacted_hollowing

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgΓ€nging
C
457
star
16

malware_analysis

Various snippets created during malware analysis
Python
447
star
17

ida_ifl

IFL - Interactive Functions List (plugin for IDA Pro)
Python
392
star
18

module_overloading

A more stealthy variant of "DLL hollowing"
C
318
star
19

IAT_patcher

Persistent IAT hooking application - based on bearparser
C++
236
star
20

persistence_demos

Demos of various (also non standard) persistence methods used by malware
C++
214
star
21

chimera_pe

ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side
C
208
star
22

shellconv

Small tool for disassembling shellcode (using objdump)
Python
144
star
23

masm_shc

A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.
C++
136
star
24

antianalysis_demos

Set of antianalysis techniques found in malware
C++
119
star
25

password_scrambler

Password scrambler - a deterministic password re-generator (alternative to a password manager)
Python
118
star
26

dll_injector

A simple commandline injector using classic DLL injection
C++
114
star
27

funky_malware_formats

Parsers for custom malware formats ("Funky malware formats")
C++
94
star
28

process_chameleon

A process overwriting its own PEB to make an illusion that it has been loaded from a different path.
C
93
star
29

mal_unpack_drv

MalUnpack companion driver
C++
82
star
30

crypto_utils

Set of my small utils related to cryptography, encoding, decoding etc
Python
76
star
31

ViDi

ViDi Visual Disassembler (experimental)
C++
76
star
32

pe2pic

Small visualizator for PE files
Python
63
star
33

pin_n_sieve

An experimental dynamic malware unpacker based on Intel Pin and PE-sieve
C++
54
star
34

paramkit

A small library helping to parse commandline parameters (for C/C++)
C++
52
star
35

petya_recovery

Application for cracking Red Petya key based on genetic algorithms.
C++
50
star
36

petya_key

A decoder for Petya victim keys, using the Janus' masterkey.
C++
43
star
37

libpeconv_tpl

A ready-made template for a project based on libpeconv.
C++
40
star
38

pe_unmapper

Small tool to convert beteween the PE alignments (raw and virtual).
C++
39
star
39

flareon2019

Flare-On solutions
C
36
star
40

mal_sort

Various scripts helpful in sorting collections of malware samples.
Python
36
star
41

pesieve-go

Golang bindings for PE-sieve
Go
35
star
42

IAT_patcher_samples

Sample libraries to be used with IAT Patcher
C++
32
star
43

pe_utils

A set of small utilities, helpers for PIN tracers
C++
31
star
44

hidden_bee_tools

Parser for a custom executable format from Hidden Bee malware (first stage)
C
31
star
45

mal_unpack_py

Python wrappers for mal_unpack
Python
29
star
46

decryptors_archive

Archive of ransomware decryptors
C++
28
star
47

flareon2022

JavaScript
27
star
48

asm16_projects

My small projects writen in 16 bit asm (NOTE: those are my practice projects that I wrote when I was 15, I give no warranty for this code!)
Assembly
23
star
49

tag_converter

C++
22
star
50

petya_green

Application for random attack on Green Petya's key
C++
22
star
51

bootldr_demo

Demo bootloaders - created just for fun
Assembly
21
star
52

metasploit_modules

My metasploit modules
Ruby
19
star
53

loaderine

A demo implementation of a well-known technique used by some malware to evade userland hooking, using my library: libpeconv.
C
19
star
54

jpassword_scrambler

Small utility to generate complicated passwords - version with GUI
Java
17
star
55

bunitu_tests

Scripts for communication with Bunitu Trojan C&Cs
Python
16
star
56

7ev3n_decoders

Decoders for 7ev3n ransomware
Assembly
14
star
57

libpeconv_and_detours_tpl

A template for projects using both libPeConv and MS Detours
C++
14
star
58

sig_finder

Signature finder (from PE-bear)
C++
13
star
59

detours_cmake_tpl

A CMake template for projects using MS Detours
CMake
13
star
60

passcrambler

https://hasherezade.github.io/passcrambler/
JavaScript
11
star
61

challs

My solutions for random crackmes and other challenges
C++
11
star
62

wke_exercises

My solutions for HackSys Extreme Vulnerable Driver
C++
10
star
63

drawings

Some of my drawings
9
star
64

pe_recovery_tools

A placeholder repository
9
star
65

hasherezade.github.io

My projects' homepage
HTML
8
star
66

mastercoder2014

My solutions
C++
8
star
67

libpeconv_demo

Demo projects and utilities made with the help of libPeConv
C++
8
star
68

bearparser_tests

External tests for bearparser
Assembly
7
star
69

libpeconv_wrappers

A ready-made template for a new project based on libPeConv library
C++
7
star
70

hasherezade

6
star
71

paramkit_tpl

A template for a project using ParamKit
C++
5
star
72

pesieve_tests

External tests for PE-sieve
4
star