Giter Club home page Giter Club logo

tangledwinexec's Introduction

Tangled WinExec

This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique.

Projects

  • BlockingDLL : This toolset is for testing blocking DLL process. See README.md.

  • CommandLineSpoofing : This PoC performs Command Line Spoofing. This technique may not work for Windows 11.

  • GhostlyHollowing : This PoC performs Ghostly Hollowing.

  • PPIDSpoofing : This PoC performs PPID Spoofing.

  • ProcessDoppelgaenging : This PoC performs Process Doppelgänging. Due to kernel protection improvement, this technique does not work for recent Windows OS (> Windows 10 Version 1809, as far as I tested). See the issue for hasherezade's repository.

  • ProcessGhosting : This PoC performs Process Ghosting. This technique may not work for Windows 11 after 22H2.

  • ProcessHerpaderping : This PoC performs Process Herpaderping. Due to file lock issue, if you choose a fake image file smaller than you want to execute, file size shrinking will be failed and corrupt file signature for herpaderping process. To take full advantage of this technique, fake image file size should be larger than you want to execute. This technique may not work for Windows 11 after 22H2.

  • ProcessHollowing : This PoC performs Process Hollowing. Unlike the original, the PE image is parsed into a new memory area instead of using ZwUnmapViewOfSection / NtUnmapViewOfSection.

  • ProcMemScan : This is a diagnostic tool to investigate remote process. See README.md.

  • ProcMemScan : This toolset is for testing ProtectedProcess. See README.md.

  • SdDumper : This tool is to dump and analyze SecurityDescriptor information. See README.md.

  • TransactedHollowing : This PoC performs Transacted Hollowing.

  • WmiSpawn : This PoC tries to spawn process with WMI. The processes will be spawn as child processes of WmiPrvSE.exe. Supports local machine process execution and remote machine process execution. The usage can see README.md.

NOTE : Currently ProcessHollowing code does not works for Debug build. To test it, use Release build. See this issue.

Reference

Blocking DLL

Command Line Spoofing

PPID Spoofing

Process Doppelgänging

Process Ghosting

Process Herpaderping

Process Hollowing

Ghostly Hollowing and Transacted Hollowing

Protected Process

Acknowledgments

Thanks for your research:

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.