Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hasherezade/transacted_hollowing

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
https://github.com/hasherezade/transacted_hollowing

code-injection malware pe-injector pefile

Last synced: 3 days ago
JSON representation

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

Host: GitHub
URL: https://github.com/hasherezade/transacted_hollowing
Owner: hasherezade
License: mit
Created: 2021-06-05T13:39:51.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-03-08T12:38:43.000Z (11 months ago)
Last Synced: 2025-01-25T18:09:26.687Z (10 days ago)
Topics: code-injection, malware, pe-injector, pefile
Language: C
Homepage:
Size: 204 KB
Stars: 522
Watchers: 20
Forks: 75
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        Transacted Hollowing

==========

[![Build status](https://ci.appveyor.com/api/projects/status/fpgr73aul25gc6kp?svg=true)](https://ci.appveyor.com/project/hasherezade/transacted-hollowing)

### Transacted Hollowing (classic)

Transacted Hollowing is a PE injection technique. A hybrid between [Process Hollowing](https://github.com/hasherezade/libpeconv/tree/master/run_pe) and [Process Doppelgänging](https://github.com/hasherezade/process_doppelganging). 

![transacted hollowing diagram](/img/transacted_hollowing.png)

*More info [here](https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/).*

---

### Ghostly Hollowing

Ghostly Hollowing is a similar technique, but using a delete-pending file instead of the transacted file. A hybrid between [Process Hollowing](https://github.com/hasherezade/libpeconv/tree/master/run_pe) and [Process Ghosting](https://github.com/hasherezade/process_ghosting). 

![ghostly hollowing diagram](/img/ghostly_hollowing.png)

---

You can switch to build the second variant with the help of the CMake option: `GHOSTING`. By default, Transacted Hollowing is built.

![CMake flag](img/ghosting_flag.png)

---

Characteristics:

-

+ Payload mapped as `MEM_IMAGE` (unnamed: not linked to any file)

+ Sections mapped with original access rights (no `RWX`)

+ Payload connected to PEB as the main module

+ Remote injection supported (but only into a newly created process)

![View](img/implant_view.png)

Supported injections:

-

If the loader was built as 32 bit:

```

32 bit payload -> 32 bit target

```

If the loader was built as 64 bit:

```

64 bit payload -> 64 bit target

32 bit payload -> 32 bit target

```

How to use the app:

-

Supply 2 commandline arguments:

```

[payload_path] [target_path]

```

Payload is the PE to be executed impersonating the Target.