Process Overwriting

Process Overwriting is a PE injection technique, closely related to Process Hollowing and Module Overloading.

With its help, you can replace the main executable (not a DLL) of the target process.

It works only for a newly created process - injection to existing processes is not supported with this technique.

WARNING: The size of the target image must be NOT SMALLER than the size of the payload image.

Steps taken:

creates a suspended process from a benign file (with CFG disabled)
maps the payload in memory, and writes it over the originally mapped image (without unmapping of the original image)
updates the entry point of the process to the entry point of the payload
resumes the process, executing the replaced PE

Important

Demo:

The demo payload (demo.bin) injected into Windows Calc (default target):

In memory (via Process Hacker):

📹 Process Overwriting on Windows 11 24H2: https://youtu.be/sZ8tMwKfvXw

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/process_overwriting.git

Name		Name	Last commit message	Last commit date
Latest commit History 47 Commits
docs/img		docs/img
libpeconv @ fc70bd4		libpeconv @ fc70bd4
process_overwrite		process_overwrite
.appveyor.yml		.appveyor.yml
.gitmodules		.gitmodules
CMakeLists.txt		CMakeLists.txt
README.md		README.md
demo.bin		demo.bin