Question

[KRAFMA]

Hello why you not implemented the :
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
on the TransactedHollowing ?

Cause the actual parent id work but i know a better , is cause Ntcreateprocess ? need createprocess ?

[daem0nc0re]

My PE Injection PoCs use NtCreateProcessEx which allows PPID for 4th parameter, ao InitializeProcThreadAttributeList API and UpdateProcThreadAttribute API are not required.

TangledWinExec/TransactedHollowing/TransactedHollowing/Interop/NativeMethods.cs

Line 116 in 1298c5b

public static extern NTSTATUS NtCreateProcessEx(

Additionally, I do so because I want to use only Nt APIs for PoC whenever possible.

[KRAFMA]

Yes but is for implement block dll : BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON

[daem0nc0re]

Thanks for sharing your opinion.
Essentially, the purpose of this repository is not to provide attack tools, but to provide PoCs for research or investigation about process execution techniques.
If the current implementation is inconvenient to investigate the technique, please give me specific examples so I can consider changing it.

[KRAFMA]

i try some solution for Ntcreate and check the integrity process before spoof the ppid for have more target , i update you later
btw
Any your poc can load .net file ? or only for native file ?

[daem0nc0re]

Thanks for your support.

Any your poc can load .net file ? or only for native file ?

I have not tried with .NET file yet.
I've been busy lately and won't have time for a while, sorry.

[KRAFMA]

.net seem not work but i'm sure can fix
btw : https://twitter.com/_RastaMouse/status/1524761507782873088
https://offensivedefence.co.uk/posts/ntcreateuserprocess/ is c++
and atm i use this and his amazing : https://i.gyazo.com/32d08b93537801c64b256693ff16ee81.png

[daem0nc0re]

Thanks for sharing!
I will try to address this issue next week or the week after.

[KRAFMA]

I like your poc so i want try improve a bit :)
Good luck

[daem0nc0re]

I'm happy to hear that!
I will try as soon as possible 💪

[daem0nc0re]

I started from .NET binary issue and added .NET binary support to PE file parser of TransactedHollowing PoC.
But NtCreateProcessEx and NtMapViewOfSection returns NTSTATUS 0x4000000E : {Machine Type Mismatch} for .NET binary.
Do you have any idea?

[KRAFMA]

<3 love you going test

[KRAFMA]

I started from .NET binary issue and added .NET binary support to PE file parser of TransactedHollowing PoC. But NtCreateProcessEx and NtMapViewOfSection returns NTSTATUS 0x4000000E : {Machine Type Mismatch} for .NET binary. Do you have any idea?

Not very but i can investigate

[daem0nc0re]

OK.
I will continue to investigate the .NET issue, but will work on the PPID first.

[daem0nc0re]

Added the feature you requested to my TransactedHollowing PoC.
Check this commit.

[KRAFMA]

Added the feature you requested to my TransactedHollowing PoC. Check this commit.

Love your work !!! good job
i have tested some solutions for try add net support but nothings new from my part

[KRAFMA]

Little issue , if i choose block dll but the ppid is 0 we can got a error like this (sorry french pc)

[KRAFMA]

Simply fixed if you add int ppid = 0 in your parameter for method call :CreateTransactedHollowingProcess and CreateInitialProcess

[daem0nc0re]

I cannot reproduce your issue and found no issue in the code.
It seems that you tried to execute GUI required PE image.
My NtCreateUserProcess implementation is minimal so does not support GUI required PE image.

[KRAFMA]

Is the block dll make this , cause a process try open the transacted process injected i think

[KRAFMA]

Hey how are you ? can you check transacted on win 7 , seem the block dll not work or not implemented on win 7 so the new transacted crash but not the old , maybe just check os like this return (string)Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion").GetValue("ProductName");
If i put false on the block dll the NtCreateUserProcess crash on the processparameter

[daem0nc0re]

Hi.
Currently, my interest lies in other projects and not interested in Windows 7 things so much.
So it will take some time, but will deal with it in due time.

[KRAFMA]

Hello how are you ?
i'm back to work and i'm find this : https://github.com/Shrfnt77/DynamicSyscalls/tree/main/Examples/ProcessHollowing

Is a simply processhollow very light and work for .net payload with NtApi (ppid spoof and PROCESS_CREATION_MITIGATION_POLICY) but only for x64
Maybe this can help you for find how add or fix your poc's for support .net payload

[daem0nc0re]

Thanks for sharing!
I am busy these days and will check when it comes (maybe after April).

[KRAFMA]

I can try reduce a maximum for more simply if you need/want
And put normal api vs syscall

[KRAFMA]

How i can contact you please ? I trying twitter but seem your dm not opened