Veins and Blood hunting knife for Active Directory Execution process.
- BlockingDLL: This toolset is for testing blocking DLL process. See README.md.
- CloneProcess ./CloneProcess :nThis directory is for process forking and reflection. See README.md.
- CommandLineSpoofing ./CommandLineSpoofing : This PoC performs Command Line Spoofing. This technique may not work for Windows 11.
- DarkLoadLibrary ./DarkLoadLibrary : PoCs in this directory are for testing Dark Load Library. See README.md
- GhostlyHollowing ./GhostlyHollowing : This PoC performs Ghostly Hollowing.
- Misc ./Misc : This directory is for helper tools to development PoCs in this repository.
- PhantomDllHollower ./PhantomDllHollower : This PoC performs Phantom DLL Hollowing. See README.md.
- PPIDSpoofing ./PPIDSpoofing : This PoC performs PPID Spoofing.
- ProcessDoppelgaenging ./ProcessDoppelgaenging : This PoC performs Process Doppelgänging. Due to kernel protection improvement for Microsoft Defender, this technique does not work for recent Windows OS (since about 2021, maybe). So if you want to test this technique in newer environment, must be stop
MicrosofttheWindows Defender Antivirus Service. See the issue - ProcessGhosting ./ProcessGhosting : This PoC performs Process Ghosting. Due to kernel protection, this technique does not work for newer Windows from 22H2.
- ProcessHerpaderping : This PoC performs Process Herpaderping. Due to file lock issue, if you choose a fake image file smaller than you want to execute, file size shrinking will be failed and corrupt file signature for herpaderping process. To take full advantage of this technique, fake image file size should be larger than you want to execute. Due to kernel protection, this technique does not work for newer Windows from 22H2.
- ProcessHollowing : This PoC performs Process Hollowing. Unlike the original, the PE image is parsed into a new memory area instead of using
ZwUnmapViewOfSectionorNtUnmapViewOfSection. - ProcMemScan : This is a diagnostic tool to investigate remote process. See README.md.
- ProtectedProcess : This toolset is for testing Protected Process. See README.md.
- ReflectiveDLLInjection : This toolset is for testing Reflective DLL Injection. See README.md.
- sRDI : This directory is for tool to sRDI (Shellcode Reflective DLL Injection). See README.md.
- TransactedHollowing : This PoC performs Transacted Hollowing.
- WmiSpawn : This PoC tries to spawn process with WMI. The processes will be spawn as child processes of
WmiPrvSE.exe. Supports local machine process execution and remote machine process execution. The usage can see README.md.
Blocking DLL
- Preventing 3rd Party DLLs from Injecting into your Malware
- Staying Under the Radar - Part 1 - PPID Spoofing and Blocking DLLs
- PPID Spoofing & BlockDLLs with NtCreateUserProcess
Command Line Spoofing
- Hide Artifacts: Process Argument Spoofing
- The return of the spoof part 2: Command line spoofing
- Process Ghosting
- What you need to know about Process Ghosting, a new executable image tampering attack
Process Herpaderping
- Process Herpaderping
- Process Herpaderping (Mitre:T1055)
Process Hollowing
- Process Injection: Process Hollowing
- Process Hollowing and Portable Executable Relocations
Ghostly Hollowing and Transacted Hollowing
- GitHub - hasherezade on transacted_hollowing
Protected Process
- Unknown Known DLLs
- Unreal Mode : Breaking Protected Processes
- The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
Thanks for your research:
- Sulaiman Aziz @byt3n33dl3
- Tal Liberman @tal_liberman
- Eugene Kogan @EuKogan
- hasherezade @hasherezade
- Gabriel Landau @GabrielLandau
- Forrest Orr @_forrestorr
- Stephen Fewer @stephenfewer
- batsec @_batsec_
- Nick Landers @monoxgas
