Process Doppelgänging: a more stealth alternative of the process hollowing technique?

Recently at Black Hat Europe conference, Tal Liberman and Eugene Kogan (enSilo lab) presented a a new code injection technique called “Process Doppelgänging”, that works on all Windows versions and seems to be able to bypass most of today’s major security products.

This technique is a possible alternative to the Process Hollowing, currently commonly used in malware.

Process Hollowing technique substitutes the PE content after the process is created in a suspended state, but before it is fully initialized.
In order to implement this technique, its needed to make some steps that are usually performed by WindowsLoader: converting the PE file from it’s raw form into a virtual form, relocating it to the base where it is going to be loaded, and pasting into the process’ memory. Finally, the process is awaked from the suspended state, and the WindowsLoader will continue loading the payload.

In contrary, the Process Doppelgänging substitutes the PE content before the process is created: it overwrites the file image before the loading starts and WindowsLoader automatically takes care of the other steps.
This technique utilizes the Windows mechanism of NTFS Transactions.

NTFS Transactions

Transactions is a mechanism commonly used while operating on databases – however, in a similar way it exists in the NTFS file system, allowing to encapsulate into a single unit a series of operations that wil be treated as a whole: outside the transaction, the result of the operations is not visible. It starts to be noticeable only after the transaction is closed.

“By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.”

So the technique consist of create a file inside a transaction and drop in the file the malicious payload.
If the transaction rools back in an appropriate moment, the operating system behaves like our file was never created.

“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it’s in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”

Everything looks lecit to security products because the malicious process will be mapped correctly to a legit file on disk.
All injection process is performed in memory, completely file-less.

Here the video of the talk

…and below the full paper: