The mechanism that loads programs was originally designed for Windows XP and has changed little since then. Unlike the outdated hollowing technique, Process Doppelgänging takes advantage of how Windows loads processes into memory. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code. The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Dubbed Process Doppelgänging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code. Presented at Black Hat Europe, a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman.
0 kommentar(er)
