Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hasherezade/process_doppelganging

My implementation of enSilo's Process Doppelganging (PE injection technique)
https://github.com/hasherezade/process_doppelganging

malware pe-injector process-doppelganging

Last synced: 1 day ago
JSON representation

My implementation of enSilo's Process Doppelganging (PE injection technique)

Host: GitHub
URL: https://github.com/hasherezade/process_doppelganging
Owner: hasherezade
Created: 2017-12-16T13:03:06.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2022-08-30T17:24:29.000Z (over 2 years ago)
Last Synced: 2025-01-18T21:43:50.127Z (8 days ago)
Topics: malware, pe-injector, process-doppelganging
Language: C
Homepage: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
Size: 59.6 KB
Stars: 585
Watchers: 20
Forks: 116
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        Process Doppelgänging

==========

[![Build status](https://ci.appveyor.com/api/projects/status/mnoqdw09gs96mih5?svg=true)](https://ci.appveyor.com/project/hasherezade/process-doppelganging)

This is my implementation of the technique presented by enSilo:


https://www.youtube.com/watch?v=Cch8dvp836w

![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/dopel1_.png)

Characteristics:

-

+ Payload mapped as `MEM_IMAGE` (unnamed: not linked to any file)

+ Sections mapped with original access rights (no `RWX`)

+ Payload connected to PEB as the main module

+ Remote injection supported (but only into a newly created process)

+ Process is created from an unnamed module (`GetProcessImageFileName` returns empty string)



WARNING: 


The 32bit version works on 32bit system only.