Don’t let ghosts of the past haunt your future.

No, I have not suddenly turned this into a philosophical thing. The above quote is what makes possible another process injection technique, Dirty Vanity.

In it’s earlier days, Windows relied on the POSIX subsystem which uses Unix’s fork and exec functionality. While Windows does not leverage fork and exec from process creation but it exposes APIs through which red team operators can use fork and exec functionality to inject their payloads in a process away from the prying eyes of endpoint detection solutions. The POSIX subsystem was replaced over time—first by Windows Services for UNIX (SFU) in Windows XP and later by the Windows Subsystem for Linux (WSL)—some of its code is still part of Windows today and influences how the system works.

The Dirty Vanity process injection technique leverages the legacy fork and exec functionality to create a clone of the target process, inject code into it and execute the code. The cloned process is the exact replica of the original process. The stealth of this technique relies on the fact that while an endpoint detection solution may be monitoring the original process, it will not monitor the cloned process.

At a high level here’s how the Dirty Vanity technique works:

1. The red team operator identifies a target process in the system where they want to inject malicious code.

2. They allocates space within the target process and writes their malicious code into this space.

3. Instead of executing the malicious code directly (which could be detected by EDR), they create a clone (fork) of the target process. This new process is an exact copy of the original, including the injected malicious code.

4. The malicious code runs within this cloned process. Since it's a separate process, the original target process remains unaffected, and the EDR is less likely to detect the malicious activity.

This may sound similar to the classic fork and run technique but there are differences:

• In the classic fork & run, the parent process creates an empty sacrificial child process to execute the red team operator’s payload. In Dirty Vanity, the child process is the clone (fork) of the parent (or target) process.

• The Dirty Vanity technique leverages Process Reflection (RtlCreateProcessReflection) and Process Snapshot (PssCaptureSnapshot) to make create a clone of the target process.

Red Team Notes
- Dirty Vanity is a process injection technique in which red team operators use process reflection and process snapshot to create a clone (fork) of the target process and use that clone to execute their payload. Since the original process is not modified and cloned process looks legitimate, it helps them avoid detection.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

If you want to dive deep into the technical details of how dirty vanity technique works, below is the recording of a presentation, Dirty Vanity: A New Approach to Code Injection & EDR Bypass by Eliran Nissan, presented at BlackHat Europe 2022.

Eliran has also published a PoC for this technique on GitHub.