Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Overview

Process Ghosting

Build status

This is my implementation of the technique presented by Gabriel Landau:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Characteristics:

  • Memory artifacts as in Process Doppelgänging
  • Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
  • Sections mapped with original access rights (no RWX)
  • Payload connected to PEB as the main module
  • Remote injection supported (but only into a newly created process)
  • Process is created from an unnamed module (GetProcessImageFileName returns empty string)

WARNING:
The 32bit version works on 32bit system only.
Issues
  • The issue of VirtualAllocEx usage

    The issue of VirtualAllocEx usage

    https://github.com/hasherezade/process_ghosting/blob/master/process_env.cpp#L63

    If the address (second parameter of VirtualAllocEx) is invalid,maybe is conflict or is not aligned, the actual address of allocated buffer will be returned by VirtualAllocEx.

    In my code, it won’t work without address relocation processing, because almost every time the actual assigned address is not the origin one submitted by me.

    I wonder why your code works without processing this case (Actually, it works well).

    question 
    opened by EddieIvan01 9
  • In memory file

    In memory file

    Hi, I'm trying to understand and reimplement your version of Process Ghosting but in Go. Would it be possible to retrieve the file via an HTTP request instead of retrieving it from disk? Sent you a message on twitter also if you prefer discussing there (@_atsika).

    question 
    opened by Atsika 5
  • License?

    License?

    Hello,

    Thanks for all your POCs. I'm interested in using process_ghosting to test some software. Would it be possible for you to add a license to this repo so that I don't run afoul of any copyright issues when modifying it, adding it to our test repository etc...

    Many thanks.

    opened by snowkoan 2
  • Crashes my Windows 10 VM

    Crashes my Windows 10 VM

    I created a simple msfvenom 64 bit stageless payload, installed 2019 build of Windows 10 to test out process ghosting. I used your proc_ghost64.exe with the following command on win 10 VM

    proc_ghost64.exe shell.exe new_shell.exe

    And it crashes my windows 10 VM with the stopcode: SYSTEM_SERVICE_EXCEPTION

    Help please. Thanks!

    opened by harshitrajpal 1
  • The PoC produces random result due to the ghosted file being created asynchronous

    The PoC produces random result due to the ghosted file being created asynchronous

    At main.cpp(27), you are calling NtOpenFile without SYNCHRONIZE and FILE_SYNCHRONOUS_IO_NONALERT flags. This means that the file is open/created for asynchronous access. Any read/write operation is pended, and may be completed asynchronously if the operating system decides to do so. Usually, it happens after reboot, when the file is not in the system cache.

    Then, at main.cpp(59), you are calling NtWriteFile without waiting for the result.

    TLDR: The Proof-of-concept will produce random results.

    opened by ladislav-zezula 1
  • Blocked by wdfilter?

    Blocked by wdfilter?

    Hi,

    I think this technique is being blocked by windows defender, even when it's disabled, and I'm not sure how. CreateRemoteThreadEx fails with 0xc0000022. I've confirmed it was working on windows 10 enterprise, with no defender installed.

    opened by Mukad3 0
  • Reflective Loader as payload

    Reflective Loader as payload

    Hi, Reflective loaders like Cobalt Strike's beacon or Metasploit's meterpreter don't callback home. Beacon seems alive but not calling back home. image Also nothing on wireshark. Do you have an idea of why ? Thanks in advance

    opened by Atsika 5
  • 32 Bit Payloads on 64 Bit Systems.

    32 Bit Payloads on 64 Bit Systems.

    I have successfully made a build and used it to launch 64-Bit Payloads on x64. Is there any way to launch 32-Bit equivalents of these as well, using the 64-Bit version on x64?

    Disclaimer: I am relatively new to C++, and would appreciate any help.

    opened by Providence47 5
  • Payload doens't fire

    Payload doens't fire

    I created a reverse shell with msfvenom, precisely an exe file, but it won't fire:

    'E:\process_ghosting-master\Debug>proc_ghost.exe msf_rev_https.exe
    [+] Created temp file: C:\Users\fancy\AppData\Local\Temp\THCFE8.tmp [+] Information set [+] Written! PEB address: 2d7000 ImageBase address: 140000000 [+] Parameters mapped! PEB address: 2d7000 PEB address: 2d7000 ProcessParameters addr: 0000025FD11A8F30 [+] Process created! Pid = 31e0 EntryPoint at: 140004000 [+] Done!'

    The process is created and disappears after a few seconds.

    The file msf_rev_https.exe works fine btw.

    opened by hawaii67 11
  • build error

    build error

    when i try to build the solution i get this any help please

    Severity Code Description Project File Line Suppression State Error LNK2019 unresolved external symbol "bool __cdecl buffer_remote_peb(void *,struct _PROCESS_BASIC_INFORMATION &,struct _PEB &)" ([email protected]@[email protected]@[email protected]@@Z) referenced in function "bool __cdecl process_ghost(wchar_t *,unsigned char *,unsigned long)" ([email protected]@[email protected]) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2019 unresolved external symbol "bool __cdecl setup_process_parameters(void *,struct _PROCESS_BASIC_INFORMATION &,wchar_t *)" ([email protected]@[email protected]@[email protected]) referenced in function "bool __cdecl process_ghost(wchar_t *,unsigned char *,unsigned long)" ([email protected]@[email protected]) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2019 unresolved external symbol "unsigned long __cdecl get_entry_point_rva(unsigned char const *)" ([email protected]@[email protected]) referenced in function "bool __cdecl process_ghost(wchar_t *,unsigned char *,unsigned long)" ([email protected]@[email protected]) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2019 unresolved external symbol "unsigned char * __cdecl buffer_payload(wchar_t *,unsigned int &)" ([email protected]@[email protected]) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2019 unresolved external symbol "void __cdecl free_buffer(unsigned char *,unsigned int)" ([email protected]@[email protected]) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2019 unresolved external symbol "bool __cdecl get_calc_path(wchar_t ,unsigned long,bool)" ([email protected]@[email protected]) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2019 unresolved external symbol "bool __cdecl init_ntdll_func(void)" ([email protected]@YA_NXZ) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2001 unresolved external symbol "long (__stdcall NtCreateProcessEx)(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,void *,unsigned long,void *,void *,void ,unsigned char)" ([email protected]@[email protected]@[email protected]) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2001 unresolved external symbol "long (__stdcall NtCreateThreadEx)(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,void *,void *,void *,unsigned long,unsigned long,unsigned long,unsigned long,void *)" ([email protected]@[email protected]@[email protected]) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1 Error LNK2019 unresolved external symbol [email protected] referenced in function "int __cdecl invoke_main(void)" ([email protected]@YAHXZ) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\MSVCRTD.lib(exe_winmain.obj) 1 Error LNK1120 10 unresolved externals WindowsProject4 C:\Users\aliendell\source\repos\gho\Debug\WindowsProject4.exe 1

    opened by ghost 5
Owner
hasherezade
hasherezade
King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

null 138 Jul 25, 2022
Injection - Windows process injection methods

Windows Process Injection Here are some popular methods used for process injection on the windows operating system. Conhost ExtraBytes PROPagate Servi

null 1.3k Jul 31, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
This is kdmapper but it doesn't use ExAllocatePool instead it allocates pages to avoid being in BigPoolTable,

KDMapper without allocating memory in BigPoolTable Original creator https://github.com/z175 Improved by https://github.com/TheCruZ TheCruz has intergr

tygo lokum 33 Jun 12, 2022
Example of using the process hollowing technique.

RunPeInMemory Example of using the process hollowing technique. The application runs the target 32-bit executable in memory of the victim's 32-bit exe

Konstantin 2 Jun 10, 2022
credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege

forkatz credential dump using forshaw technique using SeTrustedCredmanAccessPrivilege This code is based off of the blog post by james forshaw: https:

Barbarisch 116 Jun 25, 2022
This is an upgrade to the initial TerminalOS source, supporting real hardware other than just QEMU, using GRUB as a bootloader instead of the crappy one i wrote

Terminal OS Author: Maheswaran Date: 20th Nov 2021 PROGRESS Multiboot compilance achieved VGA driver from complete with print_hex, print_dec, printf f

Maheswaran Parameswaran 1 Nov 28, 2021
An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS

ESP-File-Server An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS Using an ESP32 to handle fil

G6EJD 23 Jul 24, 2022
Control-Alt-Delete - Help Tux Escape Beastie's Jail!

Control-Alt-Delete Help Tux escape Beastie's jail by completing the following challenges! Challenges Challenge 00: Drinks: Tux needs to drink less. Ch

NDLUG 8 Oct 31, 2021
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

Josh Schiavone 57 Jul 6, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 296 Jul 27, 2022
INSTEAD interpreter for developers

instead-cli Trivial INSTEAD interpreter for developers. Build and run Dependencies: luajit (or lua), iconv. $ git clone https://github.com/instead-hub

INSTEAD 8 Apr 22, 2022
Phan Sang 8 Jul 30, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 174 Jul 10, 2022
Performance Evaluation of a Parallel Image Enhancement Technique for Dark Images on Multithreaded CPU and GPU Architectures

Performance Evaluation of a Parallel Image Enhancement Technique for Dark Images on Multithreaded CPU and GPU Architectures Image processing is a rese

Batuhan Hangün 5 Nov 4, 2021
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 663 Jul 27, 2022
A USB timer powered by Digispark ATtiny85 according to pomodoro time management technique

⏲ ES Timer Powered ⚡ by Digispark ATtiny85 and it works based on ?? pomodoro time management technique a special timer for all those that work a lot w

null 45 Jul 31, 2022