{"id":19119054,"url":"https://github.com/alsch092/changemodulename","last_synced_at":"2025-09-08T12:30:46.192Z","repository":{"id":193062146,"uuid":"688034593","full_name":"AlSch092/ChangeModuleName","owner":"AlSch092","description":"MITRE ATT\u0026CK Submission - Changing Module names at runtime","archived":false,"fork":false,"pushed_at":"2024-05-27T00:05:27.000Z","size":54,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-09T05:08:22.924Z","etag":null,"topics":["defense-evasion","malware","malware-research","mitre-attack","process-manipulation","security-research","windows-process"],"latest_commit_sha":null,"homepage":"https://unprotect.it/technique/change-module-name-at-runtime/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AlSch092.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeModuleName.cpp","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-09-06T14:10:00.000Z","updated_at":"2024-10-24T23:43:40.000Z","dependencies_parsed_at":"2023-09-06T16:16:51.157Z","dependency_job_id":"7e47f879-8370-4978-b701-21b872271f41","html_url":"https://github.com/AlSch092/ChangeModuleName","commit_stats":null,"previous_names":["alsch092/changemodulename"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlSch092%2FChangeModuleName","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlSch092%2FChangeModuleName/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlSch092%2FChangeModuleName/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlSch092%2FChangeModuleName/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AlSch092","download_url":"https://codeload.github.com/AlSch092/ChangeModuleName/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":232308437,"owners_count":18503102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["defense-evasion","malware","malware-research","mitre-attack","process-manipulation","security-research","windows-process"],"created_at":"2024-11-09T05:08:25.503Z","updated_at":"2025-01-03T07:42:57.355Z","avatar_url":"https://github.com/AlSch092.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ChangeModuleName  \nMITRE ATT\u0026amp;CK Submission - Changing Module names at runtime  \n\nThis topic has been accepted into MITRE's research queue as of Sept. 6 2023, and is pending real-world adversary usage examples. Have you seen an example of this technique being used in the wild? I'd love to hear from you, and my e-mail can be found on my profile page. Please view the .pdf file if you'd like a more cleanly formatted read.   \n\n**By: AlSch092 For: MITRE ATT\u0026CK**  \n\n**Technique Name**: Change Module Names in Running Processes   \n**Tactic**: Defense Evasion  \n**Platform**: Windows  \n**Required Permissions**: User  \n**Sub-techniques**: This is a technique of TA0005.  \n**Data Sources**: Windows API, Process Environment Block  \n**Description**:  \nThe names of loaded modules in a process can be modified at runtime to avoid detection\nmechanisms. This is done by determining the address of a module's string name and then writing\nanother value over it. Any process can perform this technique on itself or other processes as long as the\nmemory where module names are located is writable.\nIn the context of a running process, calls to the Windows API `GetModuleHandle` will return\nNULL if one queries a module name which has been changed previously by this technique, which\npotentially increases the evasion abilities of a module. Program behavior may also be altered on the\nbasis that `GetModuleHandle` returns NULL. Loaded modules names can also be changed to the same\nor duplicate values, making it harder to determine which module is the original.\nThis technique can also be used to hijack or intercept program execution. If a process queries the\naddress of a module which has had it's name replaced with a malicious one, the malicious module can\npotentially export a function with the same name and parameters as one that is looked up and called by\nthe victim process.  \n\n**Detection**:  \nRead the entire path including the file name when querying loaded modules, and check for the existence\nof the module's file name at the path's location.\nIf two or more of the same module name is found loaded in a running process, then it means at least\none of those modules had their names modified  \n\n**Mitigation**:  \nEnsure that memory is non-writable for locations on the heap where module string names reside at.\nSave the names of all loaded modules and their memory addresses at program startup, such that if any\nare later modified it can be clearly determined  \n\n**Adversary Use**: No examples could be found as this is a newly discovered technique. Further data must\nbe collected to determine if any past malware samples have used this technique. Please contact me if you've seen this being used in malware, and I can reference you in the submission!  \n\n**Additional References**:  \n\nA published and peer-reviewed reference to this technique can also be found at:\n(https://unprotect.it/technique/change-module-name-at-runtime/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falsch092%2Fchangemodulename","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falsch092%2Fchangemodulename","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falsch092%2Fchangemodulename/lists"}