Process Refund

An attempt to implement Process Doppelgänging

Getting Started

Just clone the repo

git clone https://github.com/Spajed/processrefund.git

and open the .sln with Visual Studio 2015.

Prerequisites

Currently, this works only in x64. To use you need a dummy exe like svchost.exe and your malicious exe. read below – you need to be able to write over the file.

WARNING DONT USE ON WIN10 YOU WILL GET A BSOD.

example:

processrefund.exe svchost.exe MalExe.exe

Problems with Process Doppelgänging

• You can not replace any file. If you try to replace C:\windows\system32\svchost.exe you will get “Access Denied”. Yet in the black hat slide show they show replacing “svchost.exe”, but after viewing the DEMO image in the slideshow it is clear they didn’t replace svchost.exe in the demo but Vmmap.exe from Sysinternals.
• This technique will not bypass all AntiViruses because of the use of NtCreateThreadEx, which is equal to CreateRemoteThread. An AntiVirus may monitor the creation of remote thread (via PsSetCreateThreadNotifyRoutine) thus detecting our Doppelgänging. Also, an AntiVirus may compare the memory with the image of the created process and will be aware of our malicious process. This technique may be good to avoid file signatures and loading executables without writing them to disk(“filesless”) but it will not avoid everything.

Acknowledgments

• https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

Copyright (c) 2017, Spajed All rights reserved.

Source: https://github.com/Spajed/