daem0nc0re / tangledwinexec Goto Github PK

Hello why you not implemented the :
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
on the TransactedHollowing ?

Cause the actual parent id work but i know a better , is cause Ntcreateprocess ? need createprocess ?

https://www.elastic.co/security-labs/sandboxing-antimalware-products

Discusses how PPL works, and ways to get around it. It also discusses the supposedly undocumented "Trust labels", though that may already be part of a resource here such as Unknown Known DLLs.

They also mention a PoC tool for mitigating a PPL vulnerability:
https://github.com/elastic/PPLGuard

When trying to execute ProcessHollowing.exe, there is always the same error message for me.
I have played with different fake and real parameters and tested it on Windows 10 and 11.

Example:

ProcessHollowing.exe --fake C:\Windows\system32\svchost.exe --real C:\white\artifact64.exe

[*] Got target information.
    [*] Image Path Name : C:\Windows\system32\svchost.exe
    [*] Architecture    : x64
    [*] Command Line    : C:\Windows\system32\svchost.exe
[>] Analyzing PE image data.
[+] Image data is analyzed.
    [*] Architecture  : x64
    [*] Image Size    : 0xC000
    [*] Section Count : 9
[>] Trying to create hollowing process.
[+] Hollowing process is created successfully.
[*] ntdll!_PEB for the hollowing process is 0x000000650F2BC000.
[*] Image base address for the hollowing process is 0x00007FF7945C0000.
[*] Allocated 0xC000 bytes memory at 0x00000177FFD30000 in the hollowing process.
[>] Trying to write image data in the hollowing process.
[-] Failed to memory protection for PE headers.

Since this message is called after the Helpers.UpdateMemoryProtection() function, I assume it failed to "update" the memory protection for PE headers. I am not sure why this occurs and it is most probably a user problem, but maybe you can help me (and potential others) with this.

Thanks for your awesome work!