Herpaderping process– Evading Windows Defender Security

Evading windows defender security is always an interesting topic for information security professionals. When designing products for securing Windows platforms, many engineers in this field have fallen on preconceived notions with respect to how the OS will handle data. In this scenario, some might expect the file on disk to remain “locked” when the process is created. You can’t delete the file. You can’t write to it. But you can rename it. Seen here, under the right conditions, you can in fact write to it. Remain vigilant on your assumptions, always question them, and do your research.

Researcher Johnny Shaw Discovered an interesting technique Herpaderping process

The motivation for his research is about discovering how to do analysis when a file is written. With prior background researching process Hollowing and Doppelganging, he has theorized this might be possible. The goal is to provide better security. You cannot create a better lock without first understanding how to break the old one.

Similar Techniques

Herpaderping is similar to Hollowing and Doppelganging however there are some key differences:

Process Hollowing

Process Hollowing involves modifying the mapped section before execution begins, which abstractly this looks like: map -> modify section -> execute. This workflow results in the intended execution flow of the Hollowed process diverging into unintended code. Doppelganging might be considered a form of Hollowing. However, Hollowing, in my opinion, is closer to injection in that Hollowing usually involves an explicit write to the already mapped code. This differs from Herpaderping where there are no modified sections.

Process Doppelganging

Process Doppelganging is closer to Herpaderping. Doppelganging abuses transacted file operations and generally involves these steps: transact -> write -> map -> rollback -> execute. In this workflow, the OS will create the image section and account for transactions, so the cached image section ends up being what you wrote to the transaction. The OS has patched this technique. Well, they patched the crash it caused. Maybe they consider this a “legal” use of a transaction. Thankfully, Windows Defender does catch the Doppelganging technique. Doppelganging differs from Herpaderping in that Herpaderping does not rely on transacted file operations. And Defender doesn’t catch Herpaderping.

Comparison

For reference, the generalized techniques:

Type	Technique
Hollowing	map -> modify section -> execute
Doppelganging	transact -> write -> map -> rollback -> execute
Herpaderping	write -> map -> modify -> execute -> close

We can see the differences laid out here. While Herpaderping is arguably noisier than Doppelganging, in that the malicious bits do hit the disk, we’ve seen that security products are still incapable of detecting Herpaderping.

Testing the scenario : –

Download the code from official repo –

Detection

Version 13.01 of Sysmon has the ability to detect this technique as it can detect when a process image is changed from a different process. Specifically the Event ID 25 can capture various offensive techniques which attempt to tamper a process such as process hollowing and process herpaderping. Olaf Hartong released the following configuration file which can enable the ProcessTampering event on Sysmon.

<Sysmon schemaversion="4.50"><EventFiltering><RuleGroup name="" groupRelation="or"><ProcessTampering onmatch="exclude"></ProcessTampering></RuleGroup></EventFiltering></Sysmon>

Sysmon can be installed with the above configuration file by executing the following command:

Sysmon64.exe -i process-tampering.xml

References :-

1. https://pentestlaboratories.com/2021/01/18/process-herpaderping-windows-defender-evasion/
2. https://github.com/processhacker/processhacker
3. https://www.youtube.com/watch?v=FIDCLMvH6Vs