Johnny Shaw demonstrated a defense evasion technique known as process herpaderping in which an attacker is able to inject malicious code into the mapped memory segment of a legit process before the inspection of the created process actually begins. This helps an attacker in bypassing defenses and also privilege escalation. While MITRE hasn’t associated a sub-ID to the technique, we deemed it appropriate to write the article under process injection and defense evasion methods.
MITRE TACTIC: Defense Evasion (TA0005) and Privilege Escalation (TA0004)
MITRE Technique ID: Process Injection (T1055)
A windows callback PsSetCreateProcessNotifyRoutineEx is used by security products to take action when a new process is mapped on the memory and determines if process should be allowed to execute (if it is safe or not)
However, the actual AV inspection begins only when the first thread of the respective process is initiated and not when process object is created.
This creates a window of opportunity for an attacker to create and map a process, then change the file’s content and thereafter create initial thread.
Herpaderping is an English slang which defines a person who is often made fun of due to their obliviousness. Johnny Shaw created a technique called Process Herpaderping which is used to evade anti-virus/defense mechanisms by modifying the contents of a file after its mapped in memory but before first thread is initiated. The AV is unable to determine if execution should continue or be stopped as the file behind the process has now changed. The original write-up, which is very clearly written, can be found here.
Steps followed are:
At this point the process creation callback (PsSetCreateProcessNotifyRoutineEx) in the kernel will trigger and the contents on disk would not match what was mapped. Inspection of the file at this point will result in incorrect attribution.
Since contents of what is being executed are hidden, inspection at this point will result in incorrect attribution.
The official source code can be downloaded from here. All the submodules have to be included as well so follow the following procedure to effectively download the code using git.
It can now be compiled for release using Visual Studio (I used VS 2022). I forked the repo and uploaded compiled binary for your ease of access here. It can now be run using cmd to check if its working.
Now, our payload can be executed using a simple command like this:
We can use the third option as well but not right now. Let’s create a payload first.
Now we can transfer the executable and payload to our victim.
Once the payload has been transferred successfully, we can run the process Herpaderping executable to run our payload hidden under some other legit executable, like notepad.exe
As you can see, we now must have received a reverse shell on port 1234 (as our payload suggested). This indicates a successfully herpaderp of our payload under notepad.exe
Also, in the victim system, one can re-affirm that defender is activated and has not detected our payload as malicious when it is run!
Upon inspecting this attack in process explorer on the victim system, you should get suspicious if you see suspicious child processes spawning out of legit executables. Here, cmd.exe is spawning out of notepad.exe which doesn’t allow the running of executables indicating a process injection attack!
The article discussed a defense evasion technique called Process Herpaderping which is a method of obscuring the true intentions of a process by modifying the content on disk after the image has been mapped but before it starts executing. This confuses the security products like Defender and returns in incorrect attribution, yet, the payload gets executed nevertheless. A short demonstration was also included as a PoC. Hope you liked the article. Thanks for reading.
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here