An attempt to implement Process Doppelgänging
Just clone the repo and open the .sln with Visual Studio 2015.
Currently this works only in x64. To use you need a dummy exe like svchost.exe and your malicous exe. read below - you need to be able to write over the file.
WARNING DONT USE ON WIN10 YOU WILL GET A BSOD.
exmaple:
processrefund.exe svchost.exe MalExe.exe
- You can not replace any file. If you try to replace C:\windows\system32\svchost.exe you will get "Access Denied".
Yet in the black hat slide show they show replacing "svchost.exe", but after viewing the DEMO image in the slide show
it is clear they didn't replace svchost.exe in the demo but Vmmap.exe from sysinternals.
- This techinque will not bypass all AntiViruses because of the use of NtCreateThreadEx, which is equal to CreateRemoteThread. An AntiVirus may monitor the creation of remote thread thus detecting our Doppelgänging.