Process Herpaderping: Bypassing Signature Scanning via OS File Modification

To fully grasp the concept of Process Herpaderping, it is crucial to first understand the foundational components of how Windows handles files, process creation, and security scanning.

The Anatomy of Process Creation

In the Windows operating system, creating a process is not a single, atomic operation. Instead, it is a multi-step procedure that involves several internal components and Application Programming Interfaces (APIs). Generally, the process creation workflow follows these steps:

1. File Opening: The executable file (.exe) is opened on the disk.
2. Image Mapping: The operating system creates a section object to map the executable file into the memory space.
3. Process Object Creation: A process object is instantiated in the kernel, acting as a container for the application.
4. Thread Creation: The primary thread for the process is created.
5. Security Scanning: EDR or AV solutions typically intercept the process creation at various stages (often through kernel callbacks like PspCreateProcessNotifyRoutine) to scan the memory-mapped image and the on-disk file for malicious signatures.
6. Execution Initialization: Finally, the thread begins execution.

What is Process Herpaderping?

Process Herpaderping is an advanced evasion technique that disrupts the expected sequence of process creation and security scanning. The fundamental idea behind Herpaderping is to obscure the actual malicious payload from security scanners by altering the on-disk file after the file has been mapped into memory but before the security scanner inspects it.

The term "Herpaderping" is a playful nod to the idea of confusing or "derping" the security products. When a security product attempts to scan the file on disk to determine the safety of the newly created process, it reads a modified, benign version of the file instead of the actual malicious payload that is already residing in memory and preparing to execute.

The magic of Process Herpaderping lies in exploiting the time gap (or race condition) and the separation between memory-mapped execution and on-disk file validation. Let's break down the attack execution flow step-by-step:

Step 1: Writing the Malicious Payload to Disk

The attacker begins by writing a malicious executable payload to the disk. This payload contains the actual code the attacker wishes to run. At this stage, the file is highly recognizable to signature scanners, so the attacker must act quickly to obfuscate its true nature. The file is created with specific sharing permissions that allow for subsequent modifications.

Step 2: Mapping the File into Memory

Before any execution occurs, the attacker uses Windows APIs (such as NtCreateSection) to map the malicious executable file into memory as an image section. Once the file is mapped into memory as an image, the operating system locks the memory structure based on the contents of the file at that exact moment. This memory-mapped image is what will eventually be executed.

Step 3: Modifying the File on Disk (The "Derp")

This is the critical phase where the evasion takes place. Immediately after mapping the malicious payload into memory, the attacker forcefully overwrites the contents of the file on disk. The on-disk file is typically replaced with benign content, random bytes, or a completely legitimate application's code.

Because the file was mapped into memory using an image section in Step 2, modifying the file on disk does not affect the memory-mapped payload. The memory still contains the malicious code, while the disk now contains harmless data.

Step 4: Creating the Process and Thread

With the memory containing the malicious payload and the disk containing benign data, the attacker proceeds to create a process using the previously created memory section (e.g., using NtCreateProcessEx). Following this, a primary thread is created within the process space to kickstart execution.

Step 5: The Security Scanner Inspection

When the thread is created, the Windows kernel triggers process creation callbacks (such as PsSetCreateProcessNotifyRoutineEx). This alerts the installed EDR or AV software that a new process is starting.

The security software intercepts this notification and attempts to evaluate the safety of the new process. Because scanning massive amounts of memory is computationally expensive and can severely degrade system performance, many security products default to inspecting the associated file on the disk to check for malicious signatures.

When the security scanner opens the file on disk to inspect it, it reads the data written during Step 3—the benign, modified content. The scanner finds no malicious signatures, concludes that the process is safe, and allows the execution to proceed.

Step 6: Execution of Malicious Code

With the security scanner successfully duped, the primary thread begins executing the malicious payload that was safely mapped into memory during Step 2. The malware runs unimpeded, achieving the attacker's objectives while maintaining a stealthy profile on the host system.

To appreciate the sophistication of Process Herpaderping, it is helpful to compare it against other well-known evasion techniques, such as Process Hollowing and Process Doppelgänging.

Process Hollowing

In Process Hollowing, an attacker starts a legitimate, benign process in a suspended state. The attacker then "hollows out" the memory of this legitimate process by unmapping its original code. Finally, the attacker injects the malicious payload into the hollowed memory space and resumes the thread.

Difference: Process Hollowing manipulates an existing, legitimate process in memory. Security products have become adept at detecting Hollowing by identifying discrepancies between the memory contents and the corresponding file on disk, or by detecting the suspicious unmapping and remapping of memory. Process Herpaderping, on the other hand, creates a new process directly from a malicious file that is quickly overwritten, focusing on deceiving the initial disk-based signature scan.

Process Doppelgänging

Process Doppelgänging abuses Windows Transactional NTFS (TxF) to achieve evasion. The attacker opens a transaction, overwrites a legitimate executable with a malicious payload, creates a memory section from the transacted file, and then rolls back the transaction. The malicious payload exists in memory, but the file on disk remains completely unaltered and benign.

Difference: Microsoft has heavily restricted and deprecated TxF due to its abuse in Process Doppelgänging, making this technique highly unreliable on modern Windows systems (Windows 10 and 11). Process Herpaderping does not rely on TxF; instead, it exploits fundamental file I/O and process creation APIs that cannot be easily deprecated without breaking legitimate software functionality. This makes Herpaderping a much more persistent and viable threat on modern operating systems.

Understanding the theoretical mechanics is important, but observing how Process Herpaderping operates in a real-world scenario provides crucial context for threat modeling and defensive planning.

Scenario: The Stealthy Ransomware Deployment

Consider an Advanced Persistent Threat (APT) group that has successfully gained initial access to a corporate network. Their ultimate goal is to deploy custom ransomware across multiple endpoints. To avoid immediate detection by the robust EDR agents deployed throughout the enterprise, the attackers utilize a custom dropper implementing Process Herpaderping.

1. Delivery: The dropper executes on the victim's machine. It dynamically generates the ransomware executable and writes it to a temporary directory.
2. Mapping: Within milliseconds, the dropper maps the ransomware executable into a memory section.
3. Overwriting: The dropper immediately overwrites the ransomware file on disk with the contents of a standard Windows utility, such as calc.exe (the Windows Calculator).
4. Execution Initiation: The dropper creates the process and thread using the malicious memory section.
5. EDR Evasion: The enterprise EDR intercepts the process creation. It inspects the file on disk, sees the signature of calc.exe, and allows the execution.
6. Impact: The ransomware executes from memory, encrypting critical files and databases while the EDR logs indicate that merely the calculator application was launched.

This scenario highlights the severe threat posed by Herpaderping. By blinding the primary detection mechanism (disk scanning), attackers can execute highly destructive payloads—such as ransomware, remote access trojans (RATs), or lateral movement tools—with a significantly reduced risk of immediate interdiction.

Exploitation via Red Teaming Frameworks

Process Herpaderping is not merely an academic concept; it has been actively integrated into advanced Red Teaming frameworks and adversary simulation tools. Security researchers and Red Team Operators frequently use custom tools or modified versions of frameworks like Cobalt Strike or Sliver to test their organization's resilience against this specific evasion technique.

The availability of Proof-of-Concept (PoC) code on platforms like GitHub has drastically lowered the barrier to entry, meaning that not only APTs but also less sophisticated cybercriminal syndicates can incorporate Herpaderping into their malware arsenals.

A deep technical dive into Process Herpaderping requires an understanding of the specific Windows Native APIs (NTAPIs) utilized by attackers to orchestrate the technique. These APIs operate at a lower level than standard Windows API (Win32 API) functions, providing attackers with finer control over system resources.

NtCreateFile / NtOpenFile

These functions are used to create or open a file on the disk. For Herpaderping, the file must be opened with specific sharing access flags (FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE) to ensure that the file can be modified later while still being mapped into memory.

NtCreateSection

This is perhaps the most critical API in the Herpaderping chain. NtCreateSection is used to create a section object that maps the file into memory. By specifying the SEC_IMAGE attribute, the operating system maps the file as an executable image, preparing it for execution. Crucially, the image is mapped based on the file's contents at the exact moment this API is called.

NtCreateProcessEx

Once the section object is created, the attacker uses NtCreateProcessEx to instantiate a new process object in the kernel. This process object is explicitly tied to the section object created in the previous step.

API Orchestration for File Modification

To perform the "derp" (modifying the file on disk), attackers typically use file writing APIs like WriteFile (from Win32 API) or lower-level NTAPIs like NtWriteFile to overwrite the on-disk bytes with benign content. This must be executed rapidly after NtCreateSection but before the thread is spawned.

NtCreateThreadEx

Finally, NtCreateThreadEx is called to create the primary thread for the new process. It is the invocation of this API that ultimately triggers the kernel callbacks alerting EDR systems to the new process creation. By the time this alert is generated, the file on disk has already been altered.

Defending against Process Herpaderping is challenging because it exploits fundamental, expected behaviors of the Windows operating system. Blocking the underlying APIs completely is impossible, as doing so would break countless legitimate applications. However, organizations can implement layered security strategies to detect and mitigate this evasion technique effectively.

1. Enhancing EDR Memory Scanning Capabilities

The primary weakness of traditional EDR scanning is its reliance on disk-based file inspection to save computational resources. To counter Herpaderping, security solutions must pivot towards robust memory scanning.

• In-Memory Scanning: EDR solutions must actively scan the memory-mapped executable image (the SEC_IMAGE section) at the time of process creation, rather than relying solely on reading the file from the disk. By inspecting the actual bytes in memory, the EDR can detect the malicious payload regardless of what resides on the disk.
• Memory-to-Disk Discrepancy Detection: Advanced endpoint security tools can perform comparative analysis. If a security product compares the memory footprint of a newly spawned process against the corresponding file on the disk and detects significant, inexplicable differences, it is a strong indicator of Herpaderping or Process Hollowing.

2. Monitoring Process Creation Anomalies

Process Herpaderping leaves subtle behavioral artifacts that can be detected through careful monitoring and threat hunting.

• File Modification Timings: Monitor for rapid, sequential events where an executable file is created, immediately mapped into memory as an image, and then subsequently modified or overwritten before or just as a process thread is spawned from it. This specific sequence of events is highly anomalous and indicative of Herpaderping.
• Suspicious File Access Patterns: Utilize tools like Sysmon to monitor file access. Look for processes requesting FILE_SHARE_WRITE or FILE_SHARE_DELETE permissions on executable files just prior to process creation, as legitimate applications rarely require such permissions for standard execution.

3. Leveraging Microsoft Security Updates and Features

Microsoft continuously updates the Windows kernel to provide better visibility to security vendors.

• Process Creation Callbacks: Ensure that EDR solutions are utilizing the latest kernel callbacks (e.g., PsSetCreateProcessNotifyRoutineEx and PsSetCreateThreadNotifyRoutine) and are configured to inspect the process memory state as accurately as possible when these callbacks are triggered.
• Windows Defender Application Control (WDAC): Implementing strict application control policies can prevent unauthorized binaries from executing in the first place, rendering evasion techniques like Herpaderping moot if the initial malicious payload cannot be loaded.

4. Advanced Threat Hunting Operations

Security Operations Centers (SOCs) should actively hunt for Herpaderping artifacts within their environments.

• ETW (Event Tracing for Windows): Leverage ETW providers (such as the Microsoft-Windows-Kernel-Process and Microsoft-Windows-Kernel-File providers) to collect high-fidelity telemetry on file mappings and modifications. Analysts can correlate file write events with process creation events to identify suspicious timing overlaps.
• YARA Rules for Memory: Deploy YARA rules designed specifically to scan live memory across endpoints. Even if a file bypasses the initial disk scan, periodic memory sweeping can identify the presence of known malware families executing in memory.