What is Process Herpaderping and how it enables red team trade-craft?
Learn what is Process Herpaderping and how to use it for red team trade-craft.
Imagine, you want to deliver a secret message to your friend but you are afraid that if the message gets intercepted, you will be in trouble. So you write the letter with thermo-sensitive ink that disappears on heating (Write). You deliver the letter to your friend and your friend reads it (Map). They then heat it, to make the original message disappear, and write a benign message on it (Modify). They then process the message i.e. do whatever the secret message asked them to do (Execute). Finally, they throw the letter in the dustbin (Close). Later, whoever dumpster dive to retrieve that letter, will only see the benign message and not the original one. This was the closest analogy I could think of to explain Process Herpaderping.
In Process Herpaderping, the malicious program is initially loaded but then disguised to appear legitimate. It tricks the system into ignoring or overlooking its harmful nature.
Red Team Notes
- As per the original research published by Johnny Shaw, Process Herpaderping involves following steps:
- Write target binary to disk, keeping the handle open. This is what will execute in memory.
- Map the file as an image section (NtCreateSection, SEC_IMAGE).
- Create the process object using the section handle (NtCreateProcessEx).
- Using the same target file handle, obscure the file on disk (Modify).
- Create the initial thread in the process (NtCreateThreadEx) (Execute). [At this point the process creation callback in the kernel will fire. The contents on disk do not match what was mapped. Inspection of the file at this point will result in incorrect attribution.]
- Close the handle. IRP_MJ_CLEANUP will occur here.
- This technique is even harder to detect than Process Doppelgänging.Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
If you want to deep dive into the technical details of this technique, refer to Jhonny’s GitHub repository. This repository also contains the proof-of-concept code.
If this sounds similar to process hollowing or process doppelgänging, refer to this section on Jhonny’s GitHub repository which covers differences between these three techniques.