May, 2018

process doppelganging

Security researchers from enSilo discovered a new code injection attack for Windows OS called “Process Doppelganging.” Process Doppelganging is similar to Process Hollowing – a technique utilized by hackers a couple of years back yet now identified by most security software’s. The most recent use of Process Hollowing in the case of Scarab ransomware that spread via 12.5 million emails. Process Doppelganging is a different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP but carried throughout all later versions of Windows. The same is done by making fishy things look like legitimate Windows process which can easily bypass security products. The malware can eventually lead to ransom files, monitor keystrokes, or steal confidential information.

How Attack Works?

Doppelganging works by utilizing two distinct features together to mask the loading of a modified executable. By utilizing a feature called Transactional NTFS (TxF) in Windows to make changes to an executable file that will never actu

ally be committed to disk. The malware had to be either written to disk or run completely from memory, security products developed tools to fight such malware. In case the malware had a file on disk, the file could be scanned.

Software which runs without file is suspicious and could also be detected. With Process Doppelganging, the malicious software can run from a file, but this file will be invisible to security software. The changes made are never written to the disk, so, it’s a file-less attack that cannot be tracked by Antivirus software. The modified executable is then loaded using the Windows process loading mechanism. The malware process can still be run in such a case. If opened, the file on disk will contain no suspicious content. Moreover, this file can be a well-known, digitally signed application.

A section object is created using the NtCreateSection API from the modified file and the transaction is undone with the Rollback Transaction API. Once this is complete, NtCreateProcessEx is called with the malicious section passed as a parameter and then execution is resumed in the remote process.

Call chain path:

CreateTransaction –> CreateFileTransacted –> WriteFile –> CreateSection –> NtCreateProcessEx –> RtlCreateProcessParametersEx –> VirtualAllocEx –> WriteProcessMemory –> NtCreateThreadEx

As we can see, the usage of suspicious API’s such as ReadProcessMemory/NtReadVirtualMemory, WriteProcessMemory, NtMapViewOfSection and SetThreadContext is less, and the image is stacked by the Windows PE loader rather than written into memory using WPM bringing about a considerably more authentic looking procedure.

Doppelganging into steps:

  • Transact – Overwrite legitimate executable with a malicious one
  • Load – Load malicious executable
  • Rollback – Rollback to original executable
  • Animate – Bring the Doppelganger to life


Latest versions of Windows protected with fully-updated AV and NGAV security product attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10. However, a sense of relief is that the attack is pretty hard to perform and requires some knowledge that’s not documented by the researchers.

The Author

Suvarna Trigune

Suvarna Trigune is malware research engineer who likes to enlighten others about the unknown and little-known facts about cyber security through her blogs.
Suvarna Trigune

Latest posts by Suvarna Trigune (see all)

  Leave a Comment