Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

Transacted Hollowing

Transacted Hollowing - a PE injection technique. A hybrid between Process Hollowing and Process Doppelgänging.

More info here

Characteristics:

• Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
• Sections mapped with original access rights (no RWX)
• Payload connected to PEB as the main module
• Remote injection supported (but only into a newly created process)

Supported injections:

If the loader was built as 32 bit:

32 bit payload -> 32 bit target

If the loader was built as 64 bit:

64 bit payload -> 64 bit target
32 bit payload -> 32 bit target

How to use the app:

Supply 2 commandline arguments:

[payload_path] [target_path]

Payload is the PE to be executed impersonating the Target.