Presented at Black Hat Europe, a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman. Dubbed Process Doppelgänging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code.
The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code.
Unlike the outdated hollowing technique, Process Doppelgänging takes advantage of how Windows loads processes into memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then.
To attempt the exploit, a normal executable is handed to the NTFS transaction and then overwritten by a malicious file. The NTFS transaction is a sandboxed location that returns only a success or failure result preventing partial operations. A piece of memory in the target file is modified. After modification, the NTFS transaction is intentionally failed so that the original file appears to be unmodified. Finally, the Windows process loader is used to invoke the modified section of memory that was never removed.
The following table shows the antivirus software tested by the researchers that is unable to block the exploit discovered.
|Windows Defender||Windows 10||Success|
|AVG Internet Security||Windows 10||Success|
|ESET NOD 32||Windows 7 SP1||Success|
|Symantec Endpoint Protection||Windows 7 SP1||Success|
|McAfee VSE 8.8 Patch 6||Windows 7 SP1||Success|
|Kaspersky Endpoint Security 10||Windows 7 SP1||Success|
|Kasperksy Antivirus 18||Windows 7 SP1||Success|
|Symantec Endpoint Protection 14||Windows 7 SP1||Success|
It should be noted that Windows 10 Fall Creators Update originally appeared to fix the issue since the duo presenting were unable to perform the exploit on the latest version. When attempting the exploit, a stop error otherwise known as the blue screen of death occurs. Not a desirable effect, but better than ending up with an infected machine.
However, later updates apparently allowed for the exploit to work again even on the latest patches of Windows 10. Due to the nature of the exploit, Microsoft will have its work cut out to update a core feature that helps preserve software compatibility. Antivirus vendors should be able to push out updates to detect and prevent Process Doppelgänging within the coming weeks.