Process Overwriting is a PE injection technique, closely related to Process Hollowing and Module Overloading
Process Hollowing (aka RunPE) is an old and popular PE injection technique. It comes in has variety of flavors, but there are some steps in common:
Process Hollowing does not require manual loading of payload’s imports. Thanks to the step 3 Windows loader treat our PE implant as the main module of the process, and will load imports automatically when its execution resumes.
To make our implant recognized by Windows loader, its Module Base must be set in the PEB. It is usually done by one of the two ways:
As a result of those classic implementations we get a payload running as main module, yet it is mapped as MEM_PRIVATE
(not as MEM_IMAGE
like typically loaded PEs). To obtain payload mapped as MEM_IMAGE
we can use some closely related techniques, such as Transacted Hollowing or its variant “Ghostly Hollowing”.
Process Overwriting is yet another take on solving this problem.
In contrast to the classic Process Hollowing, we are not unmapping the original PE, but writing over it. No new memory is allocated: we are using the memory that was originally allocated for the main module of the process.
Pros:
MEM_IMAGE
Cons:
The demo payload (demo.bin
) injected into Windows Calc (default target)
Use recursive clone to get the repo together with all the submodules:
git clone –recursive https://github.com/hasherezade/process_overwriting.git
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…