Skip to content
/ TRunPE Public

A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.

License

GPL-3.0 license
93 stars 23 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jackullrich/TRunPE

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
TRunPE
TRunPE
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
TRunPE.sln
TRunPE.sln
 
 

Repository files navigation

TRunPE

A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.

https://winternl.com/trunpe

Proof-of-Concept Code

Future Improvements

  • Modifying an existing TLS section
  • Extending the IMAGE_SECTION_HEADER list if necessary
  • Placing the callback code in an already executable section
  • Relocation support

Visual Studio 2019

Tested with McAfee's bintext.exe on Windows 10

About

A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

93 stars

Watchers

9 watching

Forks

23 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages