Presented at Black Hat Europe,
a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman. Dubbed Process Doppelganging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code.
The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code.
Unlike the outdated hollowing technique, Process Doppelganging takes advantage of how Windows loads processes into memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then.
To attempt the exploit, a normal executable is handed to the NTFS transaction and then overwritten by a malicious file. The NTFS transaction is a sandboxed location that returns only a success or failure result preventing partial operations. A piece of memory in the target file is modified. After modification, the NTFS transaction is intentionally failed so that the original file appears to be unmodified. Finally, the Windows process loader is used to invoke the modified section of memory that was never removed