Process Hollowing is a technique first introduced years ago by attackers to thwart the mitigation capabilities of security products. However, most of today's solutions are able to detect and prevent such notorious attacks. In this talk, we will present a new technique, dubbed Process Doppelgänging, which has similar advantages but is much harder to detect - let alone prevent. Moreover, we will expose inherent limitations in the implementations of modern AV/NGAV scanning engines.
Most modern evasion techniques rely on complex memory manipulation in order to avoid AV/NGAV scan engines. Instead, we wanted to take advantage of the implementation of the Windows loader, and abuse it to load our code, while keeping it away from the prying eyes of security products. Moreover, the code will never be saved to any file on disk, making it invisible to most recording tools such as modern EDRs.
Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms in the dark.