daem0nc0re / tangledwinexec Goto Github PK

View Code? Open in Web Editor NEW

859.0 21.0 135.0 4.53 MB

PoCs and tools for investigation of Windows process execution techniques

License: BSD 3-Clause "New" or "Revised" License

C# 97.26% C++ 1.65% C 1.09%

red-team reverse-engineering windows windows-internals windbg-extension

tangledwinexec's People

Contributors

Stargazers

Watchers

Forkers

cvlabsio jxpsx shantanu561993 zha0 dr-raypc gavz msf-ntdll pentestnetworks developer191 jpluimers ykankaya dannymas zmkeh sasqwatch jhinxs ronin-dojo johnwax hxlxmjxbbxs cppjunkie jymcheong bypasscc materaj2 freeide killvxk 0xp0lyx4 whisper-r 0xajstrike inosec2 a-new eragon226 watch-later scriptidiot global-localhost global19 global19-atlassian-net ignacioj jahno 5l1v3r1 toxicnade hatchetcode y0d4a linjingc gmh5225 joao10adao10 superuser5 ddostest123 m00zh33 signals4change data-gami ikpehlivan cmjlove1 flamelu xunnun kyleevers mmyyhack exiahan leftp askyeye kungia09 sunnyneo phuong39 kara-4search cutff schira4396 petercc cyberfury101 apkc zzhsec dl1rich awesomeyuer guliqbal87 xcalibure2 raystyle benheise lck0 pr0tean marcosd4h sneakid fresh-afk come2darkside v4nyl hashtaginfosec elsisoft freeide2017 tienhuyvonguyen fengjixuchui l34rn northshad0w startagain2016 anti-ghosts cnguoyj root4rce dabuek h1d3r wwchy ovidsec hjt2822 samy4samy e027 beeefire

tangledwinexec's Issues

Not able to update memory protection

When trying to execute ProcessHollowing.exe, there is always the same error message for me.
I have played with different fake and real parameters and tested it on Windows 10 and 11.

Example:

ProcessHollowing.exe --fake C:\Windows\system32\svchost.exe --real C:\white\artifact64.exe

[*] Got target information.
    [*] Image Path Name : C:\Windows\system32\svchost.exe
    [*] Architecture    : x64
    [*] Command Line    : C:\Windows\system32\svchost.exe
[>] Analyzing PE image data.
[+] Image data is analyzed.
    [*] Architecture  : x64
    [*] Image Size    : 0xC000
    [*] Section Count : 9
[>] Trying to create hollowing process.
[+] Hollowing process is created successfully.
[*] ntdll!_PEB for the hollowing process is 0x000000650F2BC000.
[*] Image base address for the hollowing process is 0x00007FF7945C0000.
[*] Allocated 0xC000 bytes memory at 0x00000177FFD30000 in the hollowing process.
[>] Trying to write image data in the hollowing process.
[-] Failed to memory protection for PE headers.

Since this message is called after the Helpers.UpdateMemoryProtection() function, I assume it failed to "update" the memory protection for PE headers. I am not sure why this occurs and it is most probably a user problem, but maybe you can help me (and potential others) with this.

Thanks for your awesome work!

Question

Hello why you not implemented the :
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
on the TransactedHollowing ?

Cause the actual parent id work but i know a better , is cause Ntcreateprocess ? need createprocess ?

Possible learning resource

https://www.elastic.co/security-labs/sandboxing-antimalware-products

Discusses how PPL works, and ways to get around it. It also discusses the supposedly undocumented "Trust labels", though that may already be part of a resource here such as Unknown Known DLLs.

They also mention a PoC tool for mitigating a PPL vulnerability:
https://github.com/elastic/PPLGuard

daem0nc0re / tangledwinexec Goto Github PK

tangledwinexec's People

Contributors

Stargazers

Watchers

Forkers

tangledwinexec's Issues

Not able to update memory protection

Question

Possible learning resource

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent