NullSection is a research-grade Windows execution framework designed to create and run executable images without persistent disk-backed files. By leveraging native NT APIs and image section manipulation, it demonstrates execution from transient or logically removed file objects.
This platform is built for Windows internals research, forensic analysis, and security instrumentation. It focuses on deep control over process creation internals and forensic ambiguity at both user-mode and kernel-observable layers.
Important
Ethical Use Disclaimer: NullSection is not a malware builder. It is a low-level research tool. Use it only for authorized security research, educational purposes, and defensive development.
- No Long-Lived Disk Artifacts: Executable images are backed by transient or logically removed file objects.
- MEM_IMAGE Sections: Created through native
NtCreateSectioncalls withSEC_IMAGE. - Manual Process Orchestration: Process environment and threading are built manually, bypassing high-level Win32 abstractions.
- Forensic Ambiguity: Engineered to exhibit forensic inconsistencies for research purposes (e.g., image name resolution anomalies).
- Manual PEB Population: Bypasses default loader initialization. Supports manual construction of
RTL_USER_PROCESS_PARAMETERSand string buffer isolation in remote memory. - PPID Spoofing: Supports arbitrary parent process assignment via
NtCreateProcessExto research parent-child relationship telemetry. - Syscall Layer: Research reference for indirect syscall patterns and SSN resolution.
- Manual Image Mapping: Alternative mapping logic for research into memory-based execution without relying on
SEC_IMAGE. - Handle Table Telemetry: Forensic analysis of process handle tables via
ProcessHandleInformation.
NullSection follows a modular C++20 design, ensuring clear separation of concerns.
graph TD
CLI[CLI Handler] --> Core[Core: NT API / Syscalls]
CLI --> Image[Image: PE Parser / Section Builder]
CLI --> Process[Process: Factory / PEB Builder]
Image --> Section[Transient Section Creation]
Process --> Factory[NtCreateProcessEx]
Process --> Thread[NtCreateThreadEx]
Evasion[Research Layer] --> Telemetry[Telemetry Analysis]
core/: NT API dynamic resolution, memory manipulation, and syscall research placeholders.image/: Hardened PE header parsing and memory-backed section construction.process/: Orchestration ofNtCreateProcessExand manual remote PEB population.evasion/: Observational telemetry and forensic footprint analysis.utils/: RAII handle wrappers, logging, and granularNTSTATUStranslation.
# Clone the repository
git clone https://github.com/ismailtsdln/NullSection.git
cd NullSection
# Configure and build (CMake 3.20+)
mkdir build && cd build
cmake ..
cmake --build . --config ReleaseRun a payload from a transient file object:
nullsection.exe run --image C:\path\to\payload.exeAdvanced Research: Manual PEB and PPID Spoofing:
nullsection.exe run --image C:\path\to\payload.exe --manual-peb --ppid 1234The framework has been hardened with professional-grade safety features:
- Remote Pointer Safety:
PebBuildercorrectly handles remote memory allocation for string data, ensuring pointers are valid in the target process. - Hardened PE Parsing: Strict validation for
e_lfanewand section headers prevents crashes on malformed research binaries. - Granular Exceptions: Specialized
NtExceptionsystem with an expandedNTSTATUStranslation dictionary.
- Implementation Walkthrough: Detailed breakdown of the execution flow.
- Task Roadmap: Current development status and research goals.
NullSection is engineered to feel like it was written by a Windows kernel engineer. It prioritizes correctness over obfuscation and documentation over secrecy.