HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 223,
"key": "dirty-vanity",
"unprotect_id": "U1242",
"name": "Dirty Vanity",
"description": "Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process. \r\n\r\nIt uses the `RtlCreateProcessReflection` or `NtCreateProcess[Ex]` primitives, along with the `PROCESS_VM_OPERATION`, `PROCESS_CREATE_THREAD`, and `PROCESS_DUP_HANDLE` flags to reflect and execute code in a new process. \r\n\r\nThe technique also makes use of various methods, such as `NtCreateSection` and `NtMapViewOfSection`, `VirtualAllocEx` and `WriteProcessMemory`, and `NtSetContextThread` (also known as Ghost Writing), to write the injected code into the new process. \r\n\r\nThis technique is designed to evade detection by endpoint security solutions, as the injected code appears to have been written to the new process, rather than being injected from an external source.",
"resources": "https://github.com/deepinstinct/Dirty-Vanity\nhttps://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf",
"creation_date": "2022-12-18T03:19:30.703000Z",
"tags": "Process injection,\r\nWindows forking,\r\nProcess reflection,\r\nSnapshotting,\r\nRtlCreateProcessReflection,\r\nNtCreateProcess,\r\nNtCreateProcessEx,\r\nFork,\r\nExecute,\r\nPROCESS_VM_OPERATION,\r\nPROCESS_CREATE_THREAD,\r\nPROCESS_DUP_HANDLE,\r\nNtCreateSection,\r\nNtMapViewOfSection,\r\nVirtualAllocEx,\r\nWriteProcessMemory\r\nNtSetContextThread,\r\nGhost Writing,",
"modification_date": "2023-10-04T10:43:30.875000Z",
"category": [
4
],
"rules": [],
"attachments": [
"21196959-579d-4561-b450-0f3453f4e91d"
],
"featured_api": [
3,
4,
6,
7,
24,
381,
425
],
"contributors": []
}
