Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting

Build status

This is my implementation of the technique presented by Gabriel Landau:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Characteristics:

  • Memory artifacts as in Process Doppelgänging
  • Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
  • Sections mapped with original access rights (no RWX)
  • Payload connected to PEB as the main module
  • Remote injection supported (but only into a newly created process)
  • Process is created from an unnamed module (GetProcessImageFileName returns empty string)

WARNING:
The 32bit version works on 32bit system only.
Comments
  • The issue of VirtualAllocEx usage

    The issue of VirtualAllocEx usage

    https://github.com/hasherezade/process_ghosting/blob/master/process_env.cpp#L63

    If the address (second parameter of VirtualAllocEx) is invalid,maybe is conflict or is not aligned, the actual address of allocated buffer will be returned by VirtualAllocEx.

    In my code, it won’t work without address relocation processing, because almost every time the actual assigned address is not the origin one submitted by me.

    I wonder why your code works without processing this case (Actually, it works well).

  • In memory file

    In memory file

    Hi, I'm trying to understand and reimplement your version of Process Ghosting but in Go. Would it be possible to retrieve the file via an HTTP request instead of retrieving it from disk? Sent you a message on twitter also if you prefer discussing there (@_atsika).

  • License?

    License?

    Hello,

    Thanks for all your POCs. I'm interested in using process_ghosting to test some software. Would it be possible for you to add a license to this repo so that I don't run afoul of any copyright issues when modifying it, adding it to our test repository etc...

    Many thanks.

  • Crashes my Windows 10 VM

    Crashes my Windows 10 VM

    I created a simple msfvenom 64 bit stageless payload, installed 2019 build of Windows 10 to test out process ghosting. I used your proc_ghost64.exe with the following command on win 10 VM

    proc_ghost64.exe shell.exe new_shell.exe

    And it crashes my windows 10 VM with the stopcode: SYSTEM_SERVICE_EXCEPTION

    Help please. Thanks!

  • The PoC produces random result due to the ghosted file being created asynchronous

    The PoC produces random result due to the ghosted file being created asynchronous

    At main.cpp(27), you are calling NtOpenFile without SYNCHRONIZE and FILE_SYNCHRONOUS_IO_NONALERT flags. This means that the file is open/created for asynchronous access. Any read/write operation is pended, and may be completed asynchronously if the operating system decides to do so. Usually, it happens after reboot, when the file is not in the system cache.

    Then, at main.cpp(59), you are calling NtWriteFile without waiting for the result.

    TLDR: The Proof-of-concept will produce random results.

  • Change Process

    Change Process

    Hi, Is there any chance so that i can change the svchost.exe process creation so i can decide what name to use. And if you can tell me on what command line is the process created and change temp creation, for random file creation...

  • .tmp created

    .tmp created

    Hi im trying to use this "injector" but it creates a .tmp and that makes it really detectable im not sure if it is posible to make it so it stops creating the .tmp

    Or if there is any way to edit it by myself so it doasent creates it, ik tried visual studio but it wont read the .exe

  • Blocked by wdfilter?

    Blocked by wdfilter?

    Hi,

    I think this technique is being blocked by windows defender, even when it's disabled, and I'm not sure how. CreateRemoteThreadEx fails with 0xc0000022. I've confirmed it was working on windows 10 enterprise, with no defender installed.

  • Reflective Loader as payload

    Reflective Loader as payload

    Hi, Reflective loaders like Cobalt Strike's beacon or Metasploit's meterpreter don't callback home. Beacon seems alive but not calling back home. image Also nothing on wireshark. Do you have an idea of why ? Thanks in advance

  • 32 Bit Payloads on 64 Bit Systems.

    32 Bit Payloads on 64 Bit Systems.

    I have successfully made a build and used it to launch 64-Bit Payloads on x64. Is there any way to launch 32-Bit equivalents of these as well, using the 64-Bit version on x64?

    Disclaimer: I am relatively new to C++, and would appreciate any help.

  • Payload doens't fire

    Payload doens't fire

    I created a reverse shell with msfvenom, precisely an exe file, but it won't fire:

    'E:\process_ghosting-master\Debug>proc_ghost.exe msf_rev_https.exe
    [+] Created temp file: C:\Users\fancy\AppData\Local\Temp\THCFE8.tmp [+] Information set [+] Written! PEB address: 2d7000 ImageBase address: 140000000 [+] Parameters mapped! PEB address: 2d7000 PEB address: 2d7000 ProcessParameters addr: 0000025FD11A8F30 [+] Process created! Pid = 31e0 EntryPoint at: 140004000 [+] Done!'

    The process is created and disappears after a few seconds.

    The file msf_rev_https.exe works fine btw.

King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

Dec 27, 2022
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

Dec 28, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Dec 20, 2022
This is kdmapper but it doesn't use ExAllocatePool instead it allocates pages to avoid being in BigPoolTable,

KDMapper without allocating memory in BigPoolTable Original creator https://github.com/z175 Improved by https://github.com/TheCruZ TheCruz has intergr

Jan 3, 2023
Example of using the process hollowing technique.

RunPeInMemory Example of using the process hollowing technique. The application runs the target 32-bit executable in memory of the victim's 32-bit exe

Nov 16, 2022
This is an upgrade to the initial TerminalOS source, supporting real hardware other than just QEMU, using GRUB as a bootloader instead of the crappy one i wrote

Terminal OS Author: Maheswaran Date: 20th Nov 2021 PROGRESS Multiboot compilance achieved VGA driver from complete with print_hex, print_dec, printf f

Nov 28, 2021
credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege

forkatz credential dump using forshaw technique using SeTrustedCredmanAccessPrivilege This code is based off of the blog post by james forshaw: https:

Nov 21, 2022
An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS

ESP-File-Server An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS Using an ESP32 to handle fil

Jan 8, 2023
Control-Alt-Delete - Help Tux Escape Beastie's Jail!

Control-Alt-Delete Help Tux escape Beastie's jail by completing the following challenges! Challenges Challenge 00: Drinks: Tux needs to drink less. Ch

Oct 31, 2021
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

Sep 5, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

Dec 28, 2022
INSTEAD interpreter for developers

instead-cli Trivial INSTEAD interpreter for developers. Build and run Dependencies: luajit (or lua), iconv. $ git clone https://github.com/instead-hub

Apr 22, 2022
Dec 29, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

Oct 19, 2022
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Nov 14, 2022
Performance Evaluation of a Parallel Image Enhancement Technique for Dark Images on Multithreaded CPU and GPU Architectures
 Performance Evaluation of a Parallel Image Enhancement Technique for Dark Images on Multithreaded CPU and GPU Architectures

Performance Evaluation of a Parallel Image Enhancement Technique for Dark Images on Multithreaded CPU and GPU Architectures Image processing is a rese

Nov 4, 2021
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Jan 9, 2023
A USB timer powered by Digispark ATtiny85 according to pomodoro time management technique
A USB timer powered by Digispark ATtiny85 according to pomodoro time management technique

⏲ ES Timer Powered ⚡ by Digispark ATtiny85 and it works based on ?? pomodoro time management technique a special timer for all those that work a lot w

Dec 30, 2022