What distinguishes 'Process Doppelgänging' from process hollowing as a defense evasion technique?
-
A
Process Doppelgänging uses NTFS transactions to load malicious code so the file appears as a legitimate clean file to security tools
-
B
Process Doppelgänging unmaps the target process image before writing shellcode
-
C
Process Doppelgänging patches the SSDT to redirect system calls
-
D
Process Doppelgänging injects code via Windows Atom tables