Evading windows defender security is always an interesting topic for information security professionals. When designing products for securing Windows platforms, many engineers in this field have fallen on preconceived notions with respect to how the OS will handle data. In this scenario, some might expect the file on disk to remain “locked” when the process is created. You can’t delete the file. You can’t write to it. But you can rename it. Seen here, under the right conditions, you can in fact write to it. Remain vigilant on your assumptions, always question them, and do your research.
Researcher Johnny Shaw Discovered an interesting technique Herpaderping process
The motivation for his research is about discovering how to do analysis when a file is written. With prior background researching process Hollowing and Doppelganging, he has theorized this might be possible. The goal is to provide better security. You cannot create a better lock without first understanding how to break the old one.
Herpaderping is similar to Hollowing and Doppelganging however there are some key differences:
Process Hollowing involves modifying the mapped section before execution begins, which abstractly this looks like:
map -> modify section -> execute. This workflow results in the intended execution flow of the Hollowed process diverging into unintended code. Doppelganging might be considered a form of Hollowing. However, Hollowing, in my opinion, is closer to injection in that Hollowing usually involves an explicit write to the already mapped code. This differs from Herpaderping where there are no modified sections.
Process Doppelganging is closer to Herpaderping. Doppelganging abuses transacted file operations and generally involves these steps:
transact -> write -> map -> rollback -> execute. In this workflow, the OS will create the image section and account for transactions, so the cached image section ends up being what you wrote to the transaction. The OS has patched this technique. Well, they patched the crash it caused. Maybe they consider this a “legal” use of a transaction. Thankfully, Windows Defender does catch the Doppelganging technique. Doppelganging differs from Herpaderping in that Herpaderping does not rely on transacted file operations. And Defender doesn’t catch Herpaderping.
For reference, the generalized techniques:
We can see the differences laid out here. While Herpaderping is arguably noisier than Doppelganging, in that the malicious bits do hit the disk, we’ve seen that security products are still incapable of detecting Herpaderping.
Testing the scenario : –
Download the code from official repo –
git clone https://github.com/jxy-s/herpaderping.git
git submodule update –init –recursive
Visual Studio or MSBuild executable which is part of the Windows operating system can be used to build the binary which implements the technique. The executable expects a source file, in this example Mimikatz, a name for the target file that will be created on the disk, and a trusted binary which will act as a replacement for the target binary and will maintain the legitimate signature.
POC mimikatz defender bypass :-
Version 13.01 of Sysmon has the ability to detect this technique as it can detect when a process image is changed from a different process. Specifically the Event ID 25 can capture various offensive techniques which attempt to tamper a process such as process hollowing and process herpaderping. Olaf Hartong released the following configuration file which can enable the ProcessTampering event on Sysmon.
Sysmon can be installed with the above configuration file by executing the following command:
Sysmon64.exe -i process-tampering.xml