- Joined
- Jan 2, 2023
- Messages
- 28
- Reaction score
- 3
- Points
- 8
Execution
First of, download hasherezade's PoC for doppleganging here :
github.com
Then test the technique like so:
Note in the below screenshot how mimikatz is launched, but the Process Explorer actually represents the mimikatz process as zone.txt - this is because multiple Process Environment Block's (PEB) memory structures of the newly created process were modified during the new process creation:
Windows 7
Windows 10
Going back to my original motivation as to why I wanted to try this technique out, which was to see if Windows 10 would detect this type of code injection - below is the answer:
First of, download hasherezade's PoC for doppleganging here :
GitHub - hasherezade/process_doppelganging: My implementation of enSilo's Process Doppelganging (PE injection technique)
My implementation of enSilo's Process Doppelganging (PE injection technique) - GitHub - hasherezade/process_doppelganging: My implementation of enSilo's Process Doppelganging (PE injection ...
github.com
Then test the technique like so:
Code:
.\process-doppelganger.exe C:\tools\mimikatz\x64\mimikatz.exe c:\zone.txtNote in the below screenshot how mimikatz is launched, but the Process Explorer actually represents the mimikatz process as zone.txt - this is because multiple Process Environment Block's (PEB) memory structures of the newly created process were modified during the new process creation:
Windows 7
Windows 10
Going back to my original motivation as to why I wanted to try this technique out, which was to see if Windows 10 would detect this type of code injection - below is the answer: