daem0nc0re / tangledwinexec Goto Github PK
View Code? Open in Web Editor NEWPoCs and tools for investigation of Windows process execution techniques
License: BSD 3-Clause "New" or "Revised" License
PoCs and tools for investigation of Windows process execution techniques
License: BSD 3-Clause "New" or "Revised" License
When trying to execute ProcessHollowing.exe
, there is always the same error message for me.
I have played with different fake and real parameters and tested it on Windows 10 and 11.
Example:
ProcessHollowing.exe --fake C:\Windows\system32\svchost.exe --real C:\white\artifact64.exe
[*] Got target information.
[*] Image Path Name : C:\Windows\system32\svchost.exe
[*] Architecture : x64
[*] Command Line : C:\Windows\system32\svchost.exe
[>] Analyzing PE image data.
[+] Image data is analyzed.
[*] Architecture : x64
[*] Image Size : 0xC000
[*] Section Count : 9
[>] Trying to create hollowing process.
[+] Hollowing process is created successfully.
[*] ntdll!_PEB for the hollowing process is 0x000000650F2BC000.
[*] Image base address for the hollowing process is 0x00007FF7945C0000.
[*] Allocated 0xC000 bytes memory at 0x00000177FFD30000 in the hollowing process.
[>] Trying to write image data in the hollowing process.
[-] Failed to memory protection for PE headers.
Since this message is called after the Helpers.UpdateMemoryProtection()
function, I assume it failed to "update" the memory protection for PE headers. I am not sure why this occurs and it is most probably a user problem, but maybe you can help me (and potential others) with this.
Thanks for your awesome work!
Hello why you not implemented the :
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
on the TransactedHollowing ?
Cause the actual parent id work but i know a better , is cause Ntcreateprocess ? need createprocess ?
https://www.elastic.co/security-labs/sandboxing-antimalware-products
Discusses how PPL works, and ways to get around it. It also discusses the supposedly undocumented "Trust labels", though that may already be part of a resource here such as Unknown Known DLLs.
They also mention a PoC tool for mitigating a PPL vulnerability:
https://github.com/elastic/PPLGuard
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.