https://github.com/hasherezade/process_overwriting

Yet another variant of Process Hollowing
https://github.com/hasherezade/process_overwriting

Last synced: 27 days ago
JSON representation

Yet another variant of Process Hollowing

• Host: GitHub
• URL: https://github.com/hasherezade/process_overwriting
• Owner: hasherezade
• Created: 2022-02-13T22:24:30.000Z (about 3 years ago)
• Default Branch: master
• Last Pushed: 2025-01-25T22:52:15.000Z (3 months ago)
• Last Synced: 2025-04-01T16:16:02.985Z (about 1 month ago)
• Language: C++
• Size: 140 KB
• Stars: 384
• Watchers: 11
• Forks: 80
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - hasherezade/process_overwriting - Yet another variant of Process Hollowing (C++)

README

        
# Process Overwriting

[![Build status](https://ci.appveyor.com/api/projects/status/ck9hb3928pud618b?svg=true)](https://ci.appveyor.com/project/hasherezade/process-overwriting)

Process Overwriting is a PE injection technique, closely related to [Process Hollowing](https://github.com/hasherezade/libpeconv/tree/master/run_pe) and [Module Overloading](https://github.com/hasherezade/module_overloading).

With its help, you can replace the main executable (not a DLL) of the target process.

It works only for a newly created process - injection to existing processes is not supported with this technique.

WARNING: The size of the target image must be NOT SMALLER than the size of the payload image.

Steps taken:

1. creates a suspended process from a benign file (with CFG disabled)

2. maps the payload in memory, and writes it over the originally mapped image (without unmapping of the original image)

3. updates the entry point of the process to the entry point of the payload

4. resumes the process, executing the replaced PE

> [!IMPORTANT]  

> [Read FAQ](https://github.com/hasherezade/process_overwriting/wiki)

Demo:

-

The demo payload ([`demo.bin`](https://github.com/hasherezade/process_overwriting/blob/master/demo.bin)) injected into Windows Calc (default target):

![](/docs/img/demo1.png)

In memory (via Process Hacker):

![](docs/img/demo_view.png)

📹 Process Overwriting on Windows 11 24H2: https://youtu.be/sZ8tMwKfvXw

Clone:

-

Use recursive clone to get the repo together with all the submodules:

```console

git clone --recursive https://github.com/hasherezade/process_overwriting.git

```