https://github.com/hasherezade/process_doppelganging

My implementation of enSilo's Process Doppelganging (PE injection technique)
https://github.com/hasherezade/process_doppelganging

malware pe-injector process-doppelganging

Last synced: 3 months ago
JSON representation

My implementation of enSilo's Process Doppelganging (PE injection technique)

• Host: GitHub
• URL: https://github.com/hasherezade/process_doppelganging
• Owner: hasherezade
• Created: 2017-12-16T13:03:06.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2022-08-30T17:24:29.000Z (almost 3 years ago)
• Last Synced: 2025-03-28T22:13:14.963Z (3 months ago)
• Topics: malware, pe-injector, process-doppelganging
• Language: C
• Homepage: https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
• Size: 59.6 KB
• Stars: 599
• Watchers: 19
• Forks: 118
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
Process Doppelgänging

==========

[![Build status](https://ci.appveyor.com/api/projects/status/mnoqdw09gs96mih5?svg=true)](https://ci.appveyor.com/project/hasherezade/process-doppelganging)

This is my implementation of the technique presented by enSilo:


https://www.youtube.com/watch?v=Cch8dvp836w

![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/dopel1_.png)

Characteristics:

-

+ Payload mapped as `MEM_IMAGE` (unnamed: not linked to any file)

+ Sections mapped with original access rights (no `RWX`)

+ Payload connected to PEB as the main module

+ Remote injection supported (but only into a newly created process)

+ Process is created from an unnamed module (`GetProcessImageFileName` returns empty string)



WARNING: 


The 32bit version works on 32bit system only.