GET /api/techniques/119/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 119,
"key": "process-doppelganging",
"unprotect_id": "U1215",
"name": "Process Doppelgänging",
"description": "This technique leverages the `Transactional NTFS` functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform the modification, then commit the modification, avoiding any corruption. The modification either completes successfully or does not begin.\r\n\r\nProcess Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting in a process injection. The malicious file will be created inside a transaction then committed to the legitimate file, then executed.\r\n\r\nHere are the detailed steps to reproduce the Process Doppelgänging technique:\r\n\r\n1. Create a new transaction object using `NtCreateTransaction` and store the handle in `hTransaction`.\r\n\r\n2. Open the target file for the transaction using `CreateFileTransacted` and store the handle in `hTransactedFile`.\r\n\r\n3. Open the payload file using `CreateFile` and store the handle in hFile.\r\n\r\n4. Query the size of the payload file using `GetFileSizeEx` and store the result in `fsz`.\r\n\r\n5. Allocate a buffer for the payload file using `NtAllocateVirtualMemory` and store the pointer in Buffer.\r\n\r\n6. Read the payload file into the buffer using `ReadFile`.\r\n\r\n7. Close the handle to the payload file.\r\n\r\n8. Set the size of the target file using `SetFileInformationByHandle` and the `FileEndOfFileInfo` structure.\r\n\r\n9. Map the target file into memory using `NtMapViewOfSection` and store the result in `MemoryPtr`.\r\n\r\n10. Copy the payload file from the buffer into the mapped memory using `RtlCopyMemory`.\r\n\r\n11. Unmap the target file from memory using `NtUnmapViewOfSection`.\r\n\r\n12. Commit the transaction using `NtCommitTransaction`.\r\n\r\n13. Create a new process using `NtCreateUserProcess` and store the handle in `hProcess`.\r\n\r\n14. Allocate memory for the process parameters using `NtAllocateVirtualMemory` and store the result in `ProcessParameters`.\r\n\r\n15. Set the process parameters using `RtlCreateProcessParametersEx`.\r\n\r\n16. Create the process using `NtCreateSection` and `NtMapViewOfSection`.\r\n\r\n17. Start the process using `NtCreateThreadEx` and store the handle in `hThread`.\r\n\r\n18. Wait for the process to finish execution using `WaitForSingleObject`.\r\n\r\n19. Close the handle to the process and thread.",
"resources": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf",
"creation_date": "2019-03-23T17:31:06Z",
"tags": "Transactional NTFS, Windows, data integrity, write, modify file, unexpected error, transactional mode, commit, process injection, malicious file, legitimate file,",
"modification_date": "2023-10-04T10:45:01.173000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
2,
13,
16,
23,
364,
380,
388,
450
],
"contributors": []
}
