Dirty Vanity

Created the Sunday 18 December 2022. Updated 9 months, 2 weeks ago.

Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.

It uses the RtlCreateProcessReflection or NtCreateProcess[Ex] primitives, along with the PROCESS_VM_OPERATION, PROCESS_CREATE_THREAD, and PROCESS_DUP_HANDLE flags to reflect and execute code in a new process.

The technique also makes use of various methods, such as NtCreateSection and NtMapViewOfSection, VirtualAllocEx and WriteProcessMemory, and NtSetContextThread (also known as Ghost Writing), to write the injected code into the new process.

This technique is designed to evade detection by endpoint security solutions, as the injected code appears to have been written to the new process, rather than being injected from an external source.



Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

Code Snippets

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Attachments

By downloading or using the attached resources, you are agreeing to be bound by the terms and conditions outlined by the provider of the resources. It is important to review and understand these terms before proceeding with the download or use of the files. If you do not agree to the terms, or are unable to agree to them, please do not download or use the attached resources.

Additionally, it's important to be aware of the potential risks that come with downloading resources from unknown sources, as they may contain malware or other malicious content. It's highly recommended to scan the resources with an up-to-date antivirus software before opening or using them.

Please note that even if you take the necessary precautions to check the resources, it is not possible to guarantee that they are completely safe and risk-free. Use of the attached resources is at your own risk.


Sleeping Alien

Subscribe to our Newsletter

Don't miss out on the latest and greatest updates from us! Subscribe to our newsletter and be the first to know about exciting content and future updates.