My own implementation of the process herpaderping evasion technique discovered by Johnny Shaw. Also, I provide a solution to detect this attack.
Process Herpaderping is a technique used to evade Antivirus solution by modifying the content on disk after the image file has been mapped.
These are the steps to achieve this attack:
- Read the Payload Binary (CreateFile)
- Create the target file on disk, keep the handle open. We will execute it later in memory (CreateFile)
- Map the target file as an image (NtCreateSection)
- Write random data on the target file handle (GetFileSize, SetFilePointer, ...)
- Create the thread of the target file (NtCreateThreadEx)
- Wait for the process to execute ...
- Close the handle
demonstration_process_herpaderping.mp4
Clone the repository, then fetch and update all the submodules
$ git clone https://github.com/Nikj-Fr/Process-Herpaderping.git
$ cd .\Process-Herpaderping
$ git submodule update --init --recursiveHere are all the configuration I made to my Visual Studio project
-
Include Folder within Visual Studio must look to find librairies
-
Setup the precompiled header file
-
List of the project dependencies (.lib to include)
bcrypt.lib
ntdll.lib
kernel32.lib
user32.lib
gdi32.lib
winspool.lib
comdlg32.lib
advapi32.lib
shell32.lib
ole32.lib
oleaut32.lib
uuid.lib
odbc32.lib
odbccp32.lib
- Compiled Architecture
As a development infrastructure I used the x64-Debug profile of Visual Studio
# After a sucessfull compilation..
$ cd .\Process-Herpaderping\Herpaderping\x64\Debug
$ Herpaderping.exe [PayloadFile] [TargetFile]Kernel Security driver used to block past, current and future process injection techniques on Windows Operating System. Link to the repository.
detection_pi-defender.mp4
The following have been used without modification:
I used the Utilitaire.cpp (with some modification but..) and pch.hpp from:
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent