{"id":95672,"date":"2019-06-20T10:02:08","date_gmt":"2019-06-20T17:02:08","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=95672"},"modified":"2025-08-12T20:45:29","modified_gmt":"2025-08-13T03:45:29","slug":"process-reimaging","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/internet-security\/process-reimaging\/","title":{"rendered":"Process Reimaging: A Cybercrook\u2019s New Disguise for Malware"},"content":{"rendered":"

As of early 2019, Windows 10<\/a> is running on more than 700 million devices, including PCs, tablets, phones, and even some gaming consoles. However, it turns out the widespread Windows operating system has some inconsistencies as to how it specifically determines process image file locations on disk. Our McAfee Advanced Threat Research team decided to analyze these inconsistencies and as a result uncovered a new cyberthreat called process reimaging<\/a>. Similar to process doppelganging<\/a> and process hollowing<\/a>, this technique evades security measures, but with greater ease since it doesn\u2019t require code injection. Specifically, this technique affects the ability for a Windows endpoint security solution to detect whether a process executing on the system is malicious or benign, allowing a cybercrook to go about their business on the device undetected.<\/p>\n

Let\u2019s dive into the details of this threat. Process reimaging leverages built-in Windows APIs, or application programming interfaces, which allow applications and the operating system to communicate with one another. One API dubbed K32GetProcessImageFileName allows endpoint security solutions, like Windows Defender, to verify whether an EXE file associated with a process contains malicious code. However, with process reimaging, a cybercriminal could subvert the security solution\u2019s trust in the windows operating system APIs to display inconsistent FILE_OBJECT names and paths. Consequently, Windows Defender misunderstands which file name or path it is looking at and can no longer tell if a process is trustworthy or not. By using this technique, cybercriminals can persist malicious processes executing on a user\u2019s device without them even knowing it.<\/p>\n

How to Keep Your Device Secure<\/h2>\n

So, the next question is \u2014 what can Windows users do to protect themselves from this potential threat? Check out these insights to help keep your device secure:<\/p>\n