0x00 Preface

---

At the recent BlackHat Europe 2017, Tal Liberman and Eugene Kogan introduced a new code injection technique—Process Doppelgänging

It is said that this exploitation method supports all Windows systems and can bypass detection by most security products

Therefore, this article will develop a program based on open-source code to implement Process Doppelgänging, test its functionality, and analyze the exploitation approach

Reference:

https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

0x01 Introduction

---

This article will cover the following:

  • Principles
  • Open-source code
  • Mitigation methods
  • Practical testing
  • Exploitation Approach
  • Defense and Detection

0x02 Process Doppelgänging Principle

---

Similar in principle to Process Hollowing, but more advanced:

  • No need to use a puppet process
  • No special memory operations required, such as SuspendProcess and NtUnmapViewOfSection

Note:

For an introduction to Process Hollowing, refer to the previous article 'Implementation and Detection of Puppet Processes'

Implementation Approach:

1. Open a normal file and create a transaction

Regarding NTFS transactions, refer to:

http://www.ntfs.com/transaction.htm

2. Fill the transaction with payload, which is launched as a process

So far, antivirus software cannot scan the filled payload

3. Rollback transaction

Equivalent to reverting the transaction and cleaning up traces

Corresponding program implementation process:

1. Create transaction

Key functions:

  • NtCreateTransaction

2. Fill payload within this transaction

Key functions:

  • CreateFileTransacted
  • NtCreateSection

3. Launch payload as a process

Key functions:

  • NtCreateProcessEx
  • NtCreateThreadEx

4. Rollback transaction

Key Functions:

  • NtRollbackTransaction

Of course, it also involves payload writing, memory allocation, PE file structure, etc., which will not be introduced here for now. You can directly refer to the POC source code.

For the usage of Native API, you can refer to the previous articles "Penetration Techniques - Creation of 'Hidden' Registry" and "Penetration Techniques - More Tests on 'Hidden' Registry".

Note:

For Windows 10 systems before Win10 RS3, using this method will cause a blue screen. The reason lies in the null pointer passed to the NtCreateProcessEx function. For details, refer to:

https://bugs.chromium.org/p/project-zero/issues/detail?id=852

0x03 Open Source POC

---

Currently, there are two publicly available POCs

1. processrefund

Address:

https://github.com/Spajed/processrefund

Currently only supports 64-bit Windows systems

Compilation tool: VS2015, install SDK

Actual test:

Win7 x64

Test as shown in the figure below

Alt text

Note:

If calc.exe under system32 is selected, insufficient permissions will be prompted

Start process calc.exe, but actually execute MalExe.exe, pop-up dialog box

The icon and description of process calc.exe are both normal calc.exe, digital signature is also normal, as shown below

Alt text

2. POC by hfiref0x

https://gist.github.com/hfiref0x/a9911a0b70b473281c9da5daea9a177f

Only one c file, missing header file ntos.h

Reference location:

https://github.com/hfiref0x/UACME/blob/master/Source/Shared/ntos.h

But secondary modifications are still required

To better understand the details, decided not to use the ntdll.lib file (included after installing DDK), and instead obtain Native API through ntdll (of course, the code volume will also increase)

Rewrite an ntos.h in my own way, and modify the original POC's inject.c

Open source address is as follows:

An open source project

Compilation tool: VS2012

Supports 32-bit Windows systems

Actual testing:

Win7 x86

Test as shown in the figure below

Alt text

Note:

If you choose calc.exe under system32, it will prompt insufficient permissions

In summary, we can see that Process Doppelgänging is similar to Process Hollowing in terms of exploitation effect: launching a normal process (normal icon, signature, description) and executing payload within this process

A disadvantage of Process Doppelgänging in exploitation: it requires file replacement, so when replacing files under system32, it will prompt insufficient permissions (administrator privileges cannot modify files in this path)

0x04 Exploitation Approach

---

In the previous section, we tested two POCs and gained some understanding of Process Doppelgänging.

In practical exploitation, further modifications to the POC are required. The exploitation approach is as follows:

Remove the functionality of reading the payload and replace it with storing the payload in a Buffer (which can be compressed and encoded to reduce its length).

During execution, read the Buffer, decrypt it, and execute it.

This further conceals the payload, achieving a "fileless" payload (the payload is stored in the exploit and does not need to be written to the hard disk).

0x05 Detection

---

Process Doppelgänging cannot bypass all antivirus software. Calls to several key functions (such as NtCreateThreadEx) can still be intercepted, and there are differences between the process memory and the PE file.

0x06 Summary

---

This article introduced the principles of Process Doppelgänging. Based on open-source code, a program was developed to achieve exploitation on Windows x86 and x64 systems, test its functionality, analyze the exploitation approach, and introduce detection methods.