Process Doppelganging

Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction.

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10.

Adversaries may abuse TxF to perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelganging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelganging use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext.

Process Doppleganging in implemented in 4 steps

· Transact - Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction

· Load - Create a shared section of memory and load the malicious executable.

· Rollback - Undo changes to original executable, effectively removing malicious code from the file system

· Animate - Create a process from the tainted section of memory and initiate execution.

This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelganging may evade detection from security products since the execution is masked under a legitimate process.


In this Demo I will use the POC form hasherezade and demonstrate the technique on what is going on with Process Explorer from SysInternals

I have no idea why I couldn't replicate same architecture, OS and processes but no success. I managed to compile them both but also no idea what is going on, Image below from iredteam


Process Explorer actually represents the mimikatz process as zone.txt - this is because multiple Process Environment Block's (PEB) memory structures of the newly created process were modified during the new process creation


Last updated