README.md

last_reviewed	2026-04-27
reflects_commit	d57d000

Process techniques

← maldev README · docs/index

The process/* package tree groups two concerns:

1. Discovery / management (enum, session) — cross-platform process listing and Windows session / token enumeration.
2. Tampering (tamper/fakecmd, tamper/herpaderping, tamper/hideprocess, tamper/phant0m) — Windows-only primitives that lie about, hide, or silence parts of the running-process picture.

flowchart TB
    subgraph discovery [Discovery / management]
        ENUM[enum<br>Win32 Toolhelp + Linux /proc<br>List / FindByName / FindProcess]
        SESS[session<br>WTSEnumerate + cross-session<br>CreateProcess / Impersonate]
    end
    subgraph tamper [process/tamper/*]
        FK[fakecmd<br>PEB CommandLine spoof<br>self + remote PID]
        HD[herpaderping<br>kernel image-section cache<br>Herpaderping + Ghosting]
        HP[hideprocess<br>NtQSI patch in target<br>blind Task Manager / ProcExp]
        PH[phant0m<br>EventLog thread termination<br>SCM still RUNNING]
    end
    subgraph consumers [Downstream consumers]
        LSA[credentials/lsassdump]
        INJ[inject/*]
        EVA[evasion.Technique chains]
    end
    ENUM --> LSA
    ENUM --> HP
    ENUM --> PH
    SESS --> INJ
    HD --> EVA
    PH --> EVA

Loading

Packages

Package	Tech page	Detection	One-liner
process/enum	enum.md	quiet	Cross-platform process list / find-by-name (Windows + Linux)
process/session	session.md	moderate	Windows session enum + cross-session CreateProcess / Impersonate
process/tamper/fakecmd	fakecmd.md	quiet	PEB CommandLine spoof (self + remote PID)
process/tamper/herpaderping	herpaderping.md	moderate	Kernel image-section cache exploit (Herpaderping + Ghosting)
process/tamper/hideprocess	hideprocess.md	moderate	Patch NtQSI in target → blind Task Manager / ProcExp
process/tamper/phant0m	phant0m.md	noisy	Terminate EventLog worker threads; SCM still shows RUNNING

Quick decision tree

You want to…	Use
…find a process by name (cross-platform)	enum.FindByName
…enumerate Windows sessions / users	session.Active
…spawn under another user's token	session.CreateProcessOnActiveSessions
…run a callback under another user's identity briefly	session.ImpersonateThreadOnActiveSession
…spoof your process's command-line in user-mode triage	fakecmd.Spoof
…spawn a process whose disk image lies	herpaderping.Run (ModeHerpaderping or ModeGhosting)
…blind a single analyst tool's process listing	hideprocess.PatchProcessMonitor
…silence the Windows Event Log without sc stop	phant0m.Kill

MITRE ATT&CK

T-ID	Name	Packages	D3FEND counter
T1057	Process Discovery	process/enum, process/session	D3-PA
T1134.001	Access Token Manipulation: Token Impersonation/Theft	process/session	D3-USA
T1134.002	Access Token Manipulation: Create Process with Token	process/session	D3-PSA
T1036.005	Masquerading: Match Legitimate Name or Location	process/tamper/fakecmd	D3-PSA
T1055.013	Process Doppelgänging	process/tamper/herpaderping	D3-PSA, D3-FCA
T1027.005	Indicator Removal from Tools	process/tamper/hideprocess, process/tamper/herpaderping	D3-SCA
T1564.001	Hide Artifacts: Hidden Process	process/tamper/hideprocess	D3-RAPA
T1562.002	Impair Defenses: Disable Windows Event Logging	process/tamper/phant0m	D3-RAPA, D3-PA

Layered cover recipe

A typical "look like svchost while running implant work" stack:

1. Spawn via herpaderping so the on-disk image lies (or is gone, with ModeGhosting).
2. PEB CommandLine via fakecmd.Spoof so user-mode triage shows svchost.exe -k netsvcs.
3. Identity at link time via pe/masquerade/preset/svchost so VERSIONINFO + manifest + icon all match.
4. Authenticode via pe/cert.Copy so file-property dialogs see a Microsoft signature.
5. Triage tools via hideprocess so the first user opening Task Manager sees nothing.
6. Logs via phant0m.Kill so EventLog doesn't capture lateral activity.

Each step has its own detection profile; layered, the bar rises significantly.

See also

• Operator path: process tampering
• Detection eng path: process telemetry
• pe/masquerade — link-time identity clone.
• pe/cert — Authenticode graft.
• evasion/etw — pair with phant0m for full logging silence.
• credentials/lsassdump — primary consumer of process/enum.
• inject — alternative to process/tamper/herpaderping for in-process delivery.