{"id":17983385,"url":"https://github.com/hasherezade/transacted_hollowing","last_synced_at":"2025-04-05T02:08:45.692Z","repository":{"id":37473786,"uuid":"374123614","full_name":"hasherezade/transacted_hollowing","owner":"hasherezade","description":"Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging","archived":false,"fork":false,"pushed_at":"2024-03-08T12:38:43.000Z","size":209,"stargazers_count":536,"open_issues_count":2,"forks_count":81,"subscribers_count":19,"default_branch":"main","last_synced_at":"2025-03-29T01:08:44.649Z","etag":null,"topics":["code-injection","malware","pe-injector","pefile"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hasherezade.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-06-05T13:39:51.000Z","updated_at":"2025-03-27T10:19:09.000Z","dependencies_parsed_at":"2024-04-07T22:44:52.600Z","dependency_job_id":null,"html_url":"https://github.com/hasherezade/transacted_hollowing","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Ftransacted_hollowing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Ftransacted_hollowing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Ftransacted_hollowing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasherezade%2Ftransacted_hollowing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hasherezade","download_url":"https://codeload.github.com/hasherezade/transacted_hollowing/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247276164,"owners_count":20912288,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-injection","malware","pe-injector","pefile"],"created_at":"2024-10-29T18:17:06.770Z","updated_at":"2025-04-05T02:08:45.662Z","avatar_url":"https://github.com/hasherezade.png","language":"C","funding_links":[],"categories":["Malware Analysis"],"sub_categories":["Hashing"],"readme":"Transacted Hollowing\n==========\n\n[![Build status](https://ci.appveyor.com/api/projects/status/fpgr73aul25gc6kp?svg=true)](https://ci.appveyor.com/project/hasherezade/transacted-hollowing)\n\n### Transacted Hollowing (classic)\nTransacted Hollowing is a PE injection technique. A hybrid between [Process Hollowing](https://github.com/hasherezade/libpeconv/tree/master/run_pe) and [Process Doppelgänging](https://github.com/hasherezade/process_doppelganging). \n\n![transacted hollowing diagram](/img/transacted_hollowing.png)\n\n*More info [here](https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/).*\n\n---\n\n\n### Ghostly Hollowing\nGhostly Hollowing is a similar technique, but using a delete-pending file instead of the transacted file. A hybrid between [Process Hollowing](https://github.com/hasherezade/libpeconv/tree/master/run_pe) and [Process Ghosting](https://github.com/hasherezade/process_ghosting). \n\n\n![ghostly hollowing diagram](/img/ghostly_hollowing.png)\n\n---\n\nYou can switch to build the second variant with the help of the CMake option: `GHOSTING`. By default, Transacted Hollowing is built.\n\n![CMake flag](img/ghosting_flag.png)\n\n---\n\n\nCharacteristics:\n-\n\n+ Payload mapped as `MEM_IMAGE` (unnamed: not linked to any file)\n+ Sections mapped with original access rights (no `RWX`)\n+ Payload connected to PEB as the main module\n+ Remote injection supported (but only into a newly created process)\n\n![View](img/implant_view.png)\n\nSupported injections:\n-\nIf the loader was built as 32 bit:\n```\n32 bit payload -\u003e 32 bit target\n```\nIf the loader was built as 64 bit:\n```\n64 bit payload -\u003e 64 bit target\n32 bit payload -\u003e 32 bit target\n```\n\nHow to use the app:\n-\nSupply 2 commandline arguments:\n\n```\n[payload_path] [target_path]\n```\n\nPayload is the PE to be executed impersonating the Target.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhasherezade%2Ftransacted_hollowing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhasherezade%2Ftransacted_hollowing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhasherezade%2Ftransacted_hollowing/lists"}