Skip to content

Klotzi111/ProcessHollowerNet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
ProcessHollowerNet
ProcessHollowerNet
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
ProcessHollowerNet.sln
ProcessHollowerNet.sln
 
 
README.md
README.md
 
 

Repository files navigation

ProcessHollowerNet

ProcessHollowerNet is a simple command line tool for Windows, written in modern .NET, to create a "hollowed" process.

Short description of process hollowing:

  1. Create a new process in a suspended state
  2. Replace the memory of the new process with a different "injected" executable (Relocating it as needed)
  3. Change the entry point of the new process to the entry point of the "injected" executable
  4. Resume the new process

Build and Constraints

Build it for x64.
While the program can be build for any architecture, it will error out if it is not run as a 64-bit process (on a 64 bit operating system).
This is because the code uses:

  • WOW64 functions to set the context of the new process (on a 32 bit operating system the "normal" functions needs to be used)
  • IntPtr (nint) to hold pointers/addresses which are 32 bit with a 32 bit process which makes it impossible to handle 64 bit addresses of a 64 bit process

Both reasons could be fixed but there is no real need for it as 64 bit operating systems are the norm today and this is a command line tool after all.

Possible ways to fix these issues:
WOW64 functions: Just add a check for the operating system and use the correct functions.
64 bit pointers in 32 bit process: Call the NT* functions directly from the 64 bit version of ntdll.dll that is always loaded in a process on a 64 bit operating system.

Usage

This tool can create 32 bit and 64 bit processes.

It performas basic checks to ensure that the "injected" executable is compatible with the target process:

  • Check if the PE image have a valid signature.
  • Check if the target process and the PE image have the same architecture.
  • Check if the target process and the PE image have the same subsystem.
  • Check if the PE image have a relocation table.

Run it:

ProcessHollowerNet.exe <ExeFileToInject> <ExeFileToStart> [Additional Arguments]

ExeFileToInject: The PE image that will be injected into the new process.
ExeFileToStart: The executable that will be started in a suspended state and then hollowed.
[Additional Arguments]: Optional arguments that will be passed to the new process.

There are additional arguments that can be used to control how the new process is created.
These can be specified in [Additional Arguments] section and will be removed from the arguments passed to the new process:
--PHN-CF-DetachedProcess: Create the new process as a detached process.
--PHN-CF-CreateNewConsole: Creates the new process with a new console.
--PHN-CF-NewProcessGroup: Creates the new process with its own process group.
--PHN-CF-BreakawayFromJob: Creates the new process without being part of the job of the parent process.
--PHN-CF-NoWindow: Creates the new process without a window.

Sources

Strongly inspired by ProcessHollowing - Thanks

Thanks to Gemini CLI for a inital draft of the required parts and generating the required native structures and function signatures

About

Creates a process with its body replaced by an other executable

Topics

windows dotnet process-hollowing native-interop

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages