Dirty Vanity

Created the Sunday 18 December 2022. Updated 2 months ago.

Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.

It uses the RtlCreateProcessReflection or NtCreateProcess[Ex] primitives, along with the PROCESS_VM_OPERATION, PROCESS_CREATE_THREAD, and PROCESS_DUP_HANDLE flags to reflect and execute code in a new process.

The technique also makes use of various methods, such as NtCreateSection and NtMapViewOfSection, VirtualAllocEx and WriteProcessMemory, and NtSetContextThread (also known as Ghost Writing), to write the injected code into the new process.

This technique is designed to evade detection by endpoint security solutions, as the injected code appears to have been written to the new process, rather than being injected from an external source.

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

Code Snippets

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.


By downloading or using the attached resources, you are agreeing to be bound by the terms and conditions outlined by the provider of the resources. It is important to review and understand these terms before proceeding with the download or use of the files. If you do not agree to the terms, or are unable to agree to them, please do not download or use the attached resources.

Additionally, it's important to be aware of the potential risks that come with downloading resources from unknown sources, as they may contain malware or other malicious content. It's highly recommended to scan the resources with an up-to-date antivirus software before opening or using them.

Please note that even if you take the necessary precautions to check the resources, it is not possible to guarantee that they are completely safe and risk-free. Use of the attached resources is at your own risk.

Subscribe to our Newsletter

The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.