King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

Overview

KingHamlet

Process Ghosting Tool - 64 bits Only!

King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack (https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack).

Initially you have to encrypt a file, which is later located on the system to be attacked, after, the tool is used to decrypt the file and create a process using the Process Ghosting technique; this allows to bypass a significant number of security solutions.

The options are very simple:

Usage:
        Encrypt a file:
                kh.exe <sourcefile.exe> <encryptkey>

        Execute a file:
                kh.exe <encryptedfile.khe> <encryptkey> <targetfile.exe>

The End.

Encrypt a File

  • sourcefile.exe - File that is going to be encrypted - 64 bit executables only
  • encryptkey - Key use to encrypt the file, 16 bytes top, otherwise it's gonna be trim

Execute a file:

  • sourcefile.exe - File encrypted, that is going to be executed
  • encryptkey - Key use to decrypt the file
  • targetfile.exe - File "created" temporarily for the process

Antivirus Solutions bypassed without any issues:

Antivirus Date
Kaspkersy 18/06/2021
ESET NOD32 18/06/2021
TrendMicro Maximum Security 18/06/2021
McAfee Total Protection 18/06/2021
Windows Defender 18/06/2021
Avast Free Antivirus 18/06/2021
Avast Free Security 18/06/2021

Credits:

https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
https://github.com/hasherezade/process_doppelganging
https://github.com/bricke/tiny-AES-C
https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

All material in this repository is in the public domain.

You might also like...
6D - Pose Annotation Tool (6D-PAT) - is a tool that allows the user to load a set of images and also a set of 3D models and annotate where in the 2D image the 3D object ist placed.
6D - Pose Annotation Tool (6D-PAT) - is a tool that allows the user to load a set of images and also a set of 3D models and annotate where in the 2D image the 3D object ist placed.

6D - Pose Annotation Tool (6D-PAT) For detiled explanations checkout the WikiPage. What is it? With 6D-PAT you can create 6D annotations on images for

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks.
Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks.

ESP32 Wi-Fi Penetration Tool This project introduces an universal tool for ESP32 platform for implementing various Wi-Fi attacks. It provides some com

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack Yesterday Sophos and Huntress Labs identified that Kase

🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Phantom Attack: Evading System Call Monitoring

Phantom attack is a collection of attacks that evade Linux system call monitoring. A user mode program does not need any special privileges or capabilities to reliably evade system call monitoring using Phantom attack by exploiting insecure tracing implementations.

Living off the Land Attack in Linux, load an anonymous file in memory.
Living off the Land Attack in Linux, load an anonymous file in memory.

ELFMemoryLoader Living off the Land Attack in Linux。 Linux场景下的核心载荷不落地攻击。 Loader get elf data from remote server, then use file descriptor to run elf i

This is Script tools from all attack Denial of service by C programming

RemaxDos Paltfrom Attack RemaxDos This is Script tools from all attack Denial of service Remax Box Team !. Features ! Cam overflow Syn Flooding. Smurf

Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)

GEA1_break This tool implements the attack against the GEA-1 described in Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2. GEA-1 is on

Releases(0.7)
Owner
Information Security, Tech Enthusiast, Data Enthusiast, Developer
null
anthemtotheego 402 Dec 26, 2022
Separable Subsurface Scattering is a technique that allows to efficiently perform subsurface scattering calculations in screen space in just two passes.

Separable Subsurface Scattering Separable Subsurface Scattering is a technique that allows to efficiently perform subsurface scattering calculations i

Jorge Jimenez 540 Dec 22, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

anthemtotheego 188 Dec 25, 2022
An Arduino library which allows you to communicate seamlessly with the full range of u-blox GNSS modules

u-blox makes some incredible GNSS receivers covering everything from low-cost, highly configurable modules such as the SAM-M8Q all the way up to the surveyor grade ZED-F9P with precision of the diameter of a dime.

SparkFun Electronics 134 Dec 29, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 157 Jan 2, 2023
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

null 18 Dec 28, 2022
fx is a workspace tool manager. It allows you to create consistent, discoverable, language-neutral and developer friendly command line tools.

fx is a workspace tool manager. It allows you to create consistent, discoverable, language-neutral and developer friendly command line tools.

null 19 Aug 27, 2022
Hidden Eye is an all in one tool that can be used to perform a variety of online attacks on user accounts

Hidden Eye is an all in one tool that can be used to perform a variety of online attacks on user accounts. It’s well loaded, therefore it can be used as keylogger (keystroke logging), phishing tool, information collector, social engineering tool, etc.

Muhammad Qazi 0 Jun 24, 2022
Blade - A simple, fast, clean, and dynamic language that allows you to develop complex applications quickly.

The Blade Programming Language Quick links: BUILDING | CONTRIBUTING | DOCS | LICENSE | tl;dr Blade is a simple, fast, clean and dynamic language that

Blade Programming Language 121 Dec 31, 2022
Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

WORDament_Solver Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use whil

Tushar Agarwal 3 Aug 19, 2021