Process techniques

← maldev README · docs/index

The process/* package tree groups two concerns:

  1. Discovery / management (enum, session) — cross-platform process listing and Windows session / token enumeration.
  2. Tampering (tamper/fakecmd, tamper/herpaderping, tamper/hideprocess, tamper/phant0m) — Windows-only primitives that lie about, hide, or silence parts of the running-process picture.
flowchart TB
    subgraph discovery [Discovery / management]
        ENUM[enum<br>Win32 Toolhelp + Linux /proc<br>List / FindByName / FindProcess]
        SESS[session<br>WTSEnumerate + cross-session<br>CreateProcess / Impersonate]
    end
    subgraph tamper [process/tamper/*]
        FK[fakecmd<br>PEB CommandLine spoof<br>self + remote PID]
        HD[herpaderping<br>kernel image-section cache<br>Herpaderping + Ghosting]
        HP[hideprocess<br>NtQSI patch in target<br>blind Task Manager / ProcExp]
        PH[phant0m<br>EventLog thread termination<br>SCM still RUNNING]
    end
    subgraph consumers [Downstream consumers]
        LSA[credentials/lsassdump]
        INJ[inject/*]
        EVA[evasion.Technique chains]
    end
    ENUM --> LSA
    ENUM --> HP
    ENUM --> PH
    SESS --> INJ
    HD --> EVA
    PH --> EVA

Packages

PackageTech pageDetectionOne-liner
process/enumenum.mdquietCross-platform process list / find-by-name (Windows + Linux)
process/sessionsession.mdmoderateWindows session enum + cross-session CreateProcess / Impersonate
process/tamper/fakecmdfakecmd.mdquietPEB CommandLine spoof (self + remote PID)
process/tamper/herpaderpingherpaderping.mdmoderateKernel image-section cache exploit (Herpaderping + Ghosting)
process/tamper/hideprocesshideprocess.mdmoderatePatch NtQSI in target → blind Task Manager / ProcExp
process/tamper/phant0mphant0m.mdnoisyTerminate EventLog worker threads; SCM still shows RUNNING

Quick decision tree

You want to…Use
…find a process by name (cross-platform)enum.FindByName
…enumerate Windows sessions / userssession.Active
…spawn under another user's tokensession.CreateProcessOnActiveSessions
…run a callback under another user's identity brieflysession.ImpersonateThreadOnActiveSession
…spoof your process's command-line in user-mode triagefakecmd.Spoof
…spawn a process whose disk image liesherpaderping.Run (ModeHerpaderping or ModeGhosting)
…blind a single analyst tool's process listinghideprocess.PatchProcessMonitor
…silence the Windows Event Log without sc stopphant0m.Kill

MITRE ATT&CK

T-IDNamePackagesD3FEND counter
T1057Process Discoveryprocess/enum, process/sessionD3-PA
T1134.001Access Token Manipulation: Token Impersonation/Theftprocess/sessionD3-USA
T1134.002Access Token Manipulation: Create Process with Tokenprocess/sessionD3-PSA
T1036.005Masquerading: Match Legitimate Name or Locationprocess/tamper/fakecmdD3-PSA
T1055.013Process Doppelgängingprocess/tamper/herpaderpingD3-PSA, D3-FCA
T1027.005Indicator Removal from Toolsprocess/tamper/hideprocess, process/tamper/herpaderpingD3-SCA
T1564.001Hide Artifacts: Hidden Processprocess/tamper/hideprocessD3-RAPA
T1562.002Impair Defenses: Disable Windows Event Loggingprocess/tamper/phant0mD3-RAPA, D3-PA

Layered cover recipe

A typical "look like svchost while running implant work" stack:

  1. Spawn via herpaderping so the on-disk image lies (or is gone, with ModeGhosting).
  2. PEB CommandLine via fakecmd.Spoof so user-mode triage shows svchost.exe -k netsvcs.
  3. Identity at link time via pe/masquerade/preset/svchost so VERSIONINFO + manifest + icon all match.
  4. Authenticode via pe/cert.Copy so file-property dialogs see a Microsoft signature.
  5. Triage tools via hideprocess so the first user opening Task Manager sees nothing.
  6. Logs via phant0m.Kill so EventLog doesn't capture lateral activity.

Each step has its own detection profile; layered, the bar rises significantly.

See also