Shulou(Shulou.com)06/02 Report--

Process Doppelg ä nging attack technology and personal protection is what, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

At the 2017 European Black Hat Congress (Blackhat EUROPE 2017), two researchers from the cyber security company enSilo introduced a new type of attack called "Process Doppelg ä nging". This attack technology can launch attacks against all the above versions of windows vista, and even bypass the inspection of most modern mainstream security software and execute malicious programs.

After the disclosure of this attack technology, the active defense system of 360Security Guard has been urgently upgraded to intercept Process Doppelg ä nging's attacks such as and process creation in multiple dimensions, thus perfectly cracking the "anti-reconnaissance" technology of the attack and providing close protection for users.

Principle of 0x01 attack

Microsoft began to support NTFSTransaction (TxF) from Windows Vista, which was originally intended for scenarios such as file upgrade and distributed collaboration (DistributedTransaction Coordinator,DTC), where modification operations can be rolled back. The Process Doppelg ä nging attack takes advantage of the rollback feature of TxF: (1) write an overwritten white program with a malicious program, (2) then load the overwritten file into memory, (3) roll back the file on the disk after loading to overwrite the previous file, and (4) finally use (2) the Section loaded into memory to create a process, and finally achieve the purpose of executing malicious programs and bypassing software killing checks.

0x02 attack process

First create a transaction:

Figure 2

Add the white program file to this transaction:

Figure 3

Overwrite with a malicious program:

Figure 4

Load into memory:

Figure 5

Roll back the transaction:

Figure 6

Finally, create a process using Section in memory:

0x03 attack effect

This attack method can bypass the mainstream foreign protection software.

Figure 8

0x04 360 Security Guard Defense upgrade

The 360 security guard strengthens the protection against this attack, adds multi-dimensional protection, intercepts the injection of attacks and process creation, and protects the security of users' computers.

Figure 9

Figure 10

After reading the above, have you mastered the methods of Process Doppelg ä nging attack technology and close protection? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.