D
DioProcess

Process Creation

DioProcess provides 7 process creation techniques for security research, from simple CreateProcess to advanced fileless execution methods.

Available Methods

1. Normal CreateProcess

Basic

Standard process creation via CreateProcessW. Optionally create suspended or with Block DLL Policy.

File: create.rs
Function: create_process()

2. PPID Spoofing

Evasion

Create a process that appears as a child of a different parent process usingPROC_THREAD_ATTRIBUTE_PARENT_PROCESS.

File: ppid_spoof.rs
Function: create_ppid_spoofed_process()

3. Process Hollowing

Advanced

Create a legitimate process suspended, unmap its image, map payload PE, fix relocations, patch PEB, and hijack thread execution.

Algorithm:
  1. Create host process SUSPENDED
  2. Get PEB address via thread context (Rdx)
  3. Unmap original image via NtUnmapViewOfSection
  4. Allocate memory at payload's preferred base
  5. Write PE headers and sections individually
  6. Apply base relocations if needed
  7. Patch PEB.ImageBaseAddress
  8. Fix per-section memory permissions
  9. Hijack thread entry point (RCX)
  10. Resume thread
File: hollow.rs
Function: hollow_process()

4. Process Ghosting

Fileless

Create a process whose backing file no longer exists on disk. Uses delete-pending file state to create an orphaned image section.

Algorithm:
  1. Create temp file, open with DELETE permission
  2. Mark for deletion via NtSetInformationFile(FileDispositionInformation)
  3. Write payload via NtWriteFile
  4. Create SEC_IMAGE section via NtCreateSection
  5. Close file handle (file deleted, section survives)
  6. Create process via NtCreateProcessEx
  7. Set up PEB, process parameters, environment
  8. Create initial thread via NtCreateThreadEx
File: ghost.rs
Function: ghost_process()

5. Ghostly Hollowing

Combined

Combines process ghosting with hollowing. Ghost section mapped into a suspended legitimate process, then thread hijacked.

File: ghostly_hollow.rs
Function: ghostly_hollow_process()

6. Process Herpaderping

AV Evasion

Write payload to temp file, create image section, create process, then overwrite temp file with legitimate PE. AV sees legit PE on disk, but payload runs in memory.

File: herpaderp.rs
Function: herpaderp_process()

Note

The legitimate image file should be larger than the payload PE.

7. Herpaderping Hollowing

Combined

Combines herpaderping with hollowing. Payload section mapped into suspended legit process, temp file overwritten with legit PE, thread hijacked.

File: herpaderp_hollow.rs
Function: herpaderp_hollow_process()

Usage

Access process creation via the UI:

  • Normal/PPID Spoofing/Hollowing — "Create Process" button in Process tab toolbar
  • Ghosting — "Ghost Process" button in Process tab toolbar
  • Ghostly Hollowing/Herpaderping — Utilities tab

Method Comparison

MethodFile on DiskHost ProcessEvasion Level
NormalRequiredOwn processLow
PPID SpoofingRequiredOwn processMedium
HollowingRequiredLegit processMedium
GhostingDeletedOwn processHigh
Ghostly HollowingDeletedLegit processVery High
HerpaderpingOverwrittenOwn processHigh
Herpaderping HollowingOverwrittenLegit processVery High