Awesome

Process Doppelgänging

This is my implementation of the technique presented by enSilo:<br/> https://www.youtube.com/watch?v=Cch8dvp836w

Characteristics:

Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
Sections mapped with original access rights (no RWX)
Payload connected to PEB as the main module
Remote injection supported (but only into a newly created process)
Process is created from an unnamed module (GetProcessImageFileName returns empty string)

<hr/> <b>WARNING:</b> <br/> The 32bit version works on 32bit system only.