Process Doppelgänging Attack allows evading most security software on all Windows Versions

Pierluigi Paganini December 07, 2017

Experts devised a new attack technique dubbed Process Doppelgänging, that could be implemented by vxers to bypass most antivirus solutions.

A group of security researchers from Ensilo discovered a new malware evasion technique, dubbed Process Doppelgänging, that could be implemented by vxers to bypass most antivirus solutions and security software.

The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.

The Process Doppelgänging technique works on almost any Windows version starting from Windows Vista to the latest version of Windows 10.

The security duo from Ensilo, Tal Liberman and Eugene Kogan, presented the Process Doppelgänging at Black Hat 2017 Security conference held in London.

Process Doppelgänging presents similarities to another technique dubbed Process Hollowing, but it relies upon the Windows mechanism of NTFS Transactions.

The Process Hollowing could be used by attackers to replace the memory of a legitimate process with a malicious code, in this way security software are tricked into believing that the legitimate process is running.

Fortunately, all modern security software are able to detect Process Hollowing attacks.The Process Doppelgänging  leverages the Windows NTFS Transactions and an outdated implementation of Windows process loader originally designed for Windows XP to carry on the attack.

NTFS Transaction is a Windows feature that was implemented to integrate transactions into the NTFS file system, allowing it easier for application developers to handle errors and preserve data integrity, and of course to manage files and directories.

The NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines which result could be always reconducted to a failure or success state.
The Process Doppelgänging fileless attack works in four steps that are:
  1. Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
  2. Load—create a memory section from the modified (malicious) file.
  3. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
  4. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, “making it invisible to most recording tools such as modern EDRs.”

“The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine,” said the security duo.

“Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.”

“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it’s in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”

According to the tests conducted by the researchers, which used Process Doppelgänging to run the well-known password-stealing utility Mimikatz without being detected, the technique evades detection from most antiviruses as reported in the following table:

Process Doppelgänging


Liberman explained that the Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, both released earlier this year. On these later releases, the attack triggers a BSOD (blue screen of death) condition.

Fortunately, it is technically challenging to power Process Doppelgänging attacks due to the need to know “a lot of undocumented details on process creation.”

The bad news is that the attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Process Doppelgänging, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment