Lost in Transaction: Process Doppelgänging

Presented at Black Hat Europe 2017, Dec. 7, 2017, 10:15 a.m. (60 minutes).

Process Hollowing is a technique first introduced years ago by attackers to thwart the mitigation capabilities of security products. However, most of today's solutions are able to detect and prevent such notorious attacks. In this talk, we will present a new technique, dubbed Process Doppelgänging, which has similar advantages but is much harder to detect - let alone prevent. Moreover, we will expose inherent limitations in the implementations of modern AV/NGAV scanning engines.

Most modern evasion techniques rely on complex memory manipulation in order to avoid AV/NGAV scan engines. Instead, we wanted to take advantage of the implementation of the Windows loader, and abuse it to load our code, while keeping it away from the prying eyes of security products. Moreover, the code will never be saved to any file on disk, making it invisible to most recording tools such as modern EDRs.

Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms in the dark.


Presenters:

  • Eugene Kogan - Senior Software Engineer, enSilo
    Eugene Kogan is senior software engineer at enSilo. Eugene has vast knowledge in operating systems internals and over 15 years of experience. In his previous role Eugene was a Tech-Lead at Imperva where he lead and architected numerous complex security projects. Eugene holds BSc Degree in Communications System Engineering.
  • Tal Liberman - Security Research Team Leader, enSilo
    Tal Liberman has a strong interest in cyber-security, mainly focusing around OS-internals, reverse-engineering and low-level development. As a cyber security research team lead at enSilo, Tal's team is responsible for integrating OS research and malware analyses findings into enSilo's core platform. In particular, he is keen on "documenting the undocumented" in the Windows OS including CFG and other mitigation technologies, Windows service mechanisms and code injection techniques. Tal holds a BSc. in Computer Sciences from University of Haifa, Israel.

Links:

Similar Presentations: