Have you ever cheated in exams? Don’t answer. That was a trick question.

Let’s say, there is a student who wants to cheat in their exam but they are too afraid to get caught, so they want to do it in a stealthy manner. They come up with a neat trick. Before the exam, they fill an extra blank sheet (how they got it isn’t relevant here) with the subject matter text. Somehow, they smuggle it into the examination room (Transact). When the exam starts they leverage that smuggled sheet to answer questions (Load). Towards the end, they cleverly dispose off that smuggled sheet (Rollback). Once done, they submit their answer sheet that contains the content they copied from that smuggled sheet (Animate).

The invigilator doesn’t get suspicious because the student was using the genuine sheet, issued by the school, and according to them, students can’t get those sheets outside of the exam room.

Similarly, the process doppelgänging technique works as described below:

• Transact - The red team operator selects a trusted executable (just like the extra blank sheet) and overwrites it with with malicious content (subject matter text) using operating system features [NTFS Transactions].

• Load - The red team operator then loads the executable with malicious content into a memory section (copying the content of smuggled sheet on the new answer sheet).

• Rollback - The red team operator then discards the changes to the executable file by cancelling the transaction (disposing off the smuggled sheet).

• Animate - Finally, the red team operator creates a new process (submitting the answer sheet) using the legacy windows process-creation API that allows process creation via passing handles to memory sections.

Red Team Notes
- This technique relies on Windows features such as Transactional NTFS and the ntdll->NtCreateProcessEx() API, which is a legacy API for process creation (still available in Windows for compatibility purpose).
- Does not use suspicious API calls such as NtUnmapViewOfSection, VirtualProtectEx, SetThreadContext etc.
- This technique is fileless as in, the malicious code is not written to the disk but stays in memory only.  

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

This may sound similar to process hollowing, but there are subtle differences:

• In process hollowing the content of an existing legitimate process is replaced (or hollowed out) whereas in process doppelgänging a legitimate executable is modified (but not written to disk) before being executed.

• Process hollowing requires an existing process to be running whereas process doppelgänging creates a new process with the image of the modified legitimate executable.

• Process hollowing is relatively easier to detect via forensic tools but detecting process doppelgänging is not that easy and requires a good understanding of process related memory structures.

Examples of real-world cyber attacks where this technique was used include Bazar, Leafminer and SynAck.

If you want to dive deep into the technical details of how process doppelgänging works, and how it can be detected, below is the recording of a presentation, Lost in Transaction: Process Doppelgänging by Tal Liberman and Eugene Kogan, presented at BlackHat Europe 2017.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.