Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

Overview

Transacted Hollowing

Build status

Transacted Hollowing - a PE injection technique. A hybrid between Process Hollowing and Process Doppelgänging.

More info here

Characteristics:

  • Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
  • Sections mapped with original access rights (no RWX)
  • Payload connected to PEB as the main module
  • Remote injection supported (but only into a newly created process)

Supported injections:

If the loader was built as 32 bit:

32 bit payload -> 32 bit target

If the loader was built as 64 bit:

64 bit payload -> 64 bit target
32 bit payload -> 32 bit target

How to use the app:

Supply 2 commandline arguments:

[payload_path] [target_path]

Payload is the PE to be executed impersonating the Target.

Issues
  • How to build on visual studio

    How to build on visual studio

    Hey, thanks for uploading ur code to the public, I just want to know how to build it on visual studio 2019 : IMG_20210606_233121_749 If u can build it and upload the sln file (for example) and it's files (idk if there is more ) ill be thankful

    I want to add some more things from my own :)

    Have a nice day, and thanks again !

    opened by ORCA666 10
  • Why transacted hollowing doesn't need to do image relocation?

    Why transacted hollowing doesn't need to do image relocation?

    Hello hasherezade

    https://github.com/hasherezade/transacted_hollowing/blob/main/main.cpp#L60 https://github.com/m0n0ph1/Process-Hollowing/blob/master/sourcecode/ProcessHollowing/ProcessHollowing.cpp#L162

    I wonder why it is different with Process Hollowing (which needs to do relocation)

    question 
    opened by EddieIvan01 2
  • Fix address space leak

    Fix address space leak

    Hello. I'd like to open this PR because there's possibly address space leak on free_buffer function in util.cpp that would indeed leak address space of virtual memory.

    -void free_buffer(BYTE* buffer, size_t buffer_size)
    +void free_buffer(BYTE* buffer)
    {
        if (buffer == NULL) return;
    -    VirtualFree(buffer, buffer_size, MEM_DECOMMIT);
    +    VirtualFree(buffer, 0, MEM_RELEASE);
    }
    

    It only decommits virtual memory and not releasing(VADs would remain).

    This issue does not affect its behavior and not the big problem on this case but I refactored. Thanks in advance.

    opened by kkent030315 1
  • Just a question

    Just a question

    Hey there,

    the payload or malicious PE file should be on the fileytem here. Mostly it will be already fished away by AV, especially if it is malicious or suspicious enough :-) In my case for testing purpose it is mimikatz being wiped away. I was just wondering how malware can benefit from those techniques like process ghosting or transacted hollowing.........

    opened by hawaii67 10
Owner
hasherezade
hasherezade
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 186 Jun 18, 2022
Example of using the process hollowing technique.

RunPeInMemory Example of using the process hollowing technique. The application runs the target 32-bit executable in memory of the victim's 32-bit exe

Konstantin 2 Jun 10, 2022
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

null 1.2k Jun 28, 2022
An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents

Shellcode Fluctuation PoC A PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents t

Mariusz Banach 501 Jun 22, 2022
A sample demonstrating hybrid ray tracing and rasterisation for shadow rendering and use of the FidelityFX Denoiser.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

GPUOpen Effects 47 May 24, 2022
This is the demo project mainly for the BUU ( Beijing Union University ) about the hybrid robot.

This is the demo project mainly for the BUU ( Beijing Union University ) about the hybrid robot. It contains the moving platform and robot arm in 7 freedom.

Mingshan-Beal 2 Mar 16, 2022
Performance Evaluation of a Parallel Image Enhancement Technique for Dark Images on Multithreaded CPU and GPU Architectures

Performance Evaluation of a Parallel Image Enhancement Technique for Dark Images on Multithreaded CPU and GPU Architectures Image processing is a rese

Batuhan Hangün 5 Nov 4, 2021
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 610 Jun 27, 2022
A demonstration of various different techniques for implementing 'threaded code,' a technique used in Forth and in virtual machines like the JVM.

Threaded code is a technique used in the implementation of virtual machines (VMs). It avoids the overhead of calling subroutines repeatedly by 'thread

null 23 Jun 10, 2022
the implementations of 'A Flexible New Technique for Camera Calibration' and Bouguet's method

StereoCameraCalibration MonocularCameraCalibration/StereoCameraCalibration/StereoCameraRectification 1、Class "MonocularCameraCalibration" provides the

gtc1072 6 Apr 14, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege

forkatz credential dump using forshaw technique using SeTrustedCredmanAccessPrivilege This code is based off of the blog post by james forshaw: https:

Barbarisch 116 Jun 25, 2022
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 170 Jun 20, 2022
A USB timer powered by Digispark ATtiny85 according to pomodoro time management technique

⏲ ES Timer Powered ⚡ by Digispark ATtiny85 and it works based on ?? pomodoro time management technique a special timer for all those that work a lot w

null 42 Jun 22, 2022
Separable Subsurface Scattering is a technique that allows to efficiently perform subsurface scattering calculations in screen space in just two passes.

Separable Subsurface Scattering Separable Subsurface Scattering is a technique that allows to efficiently perform subsurface scattering calculations i

Jorge Jimenez 521 Jun 24, 2022
🦘 A dependency injection container for C++11, C++14 and later

kangaru ?? Kangaru is an inversion of control container for C++11, C++14 and later. It provides many features to automate dependency injection and red

Guillaume Racicot 353 Jun 16, 2022
TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 135 Jun 17, 2022
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

Josh Schiavone 56 Apr 27, 2022
a undetectable tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our qqgroup is 703156427

a undetectable ios root access tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our

null 58 Nov 22, 2021