https://github.com/hasherezade/process_ghosting/blob/master/process_env.cpp#L63

If the address (second parameter of VirtualAllocEx) is invalid，maybe is conflict or is not aligned, the actual address of allocated buffer will be returned by VirtualAllocEx.

In my code, it won’t work without address relocation processing, because almost every time the actual assigned address is not the origin one submitted by me.

I wonder why your code works without processing this case (Actually, it works well).

Hi, I'm trying to understand and reimplement your version of Process Ghosting but in Go. Would it be possible to retrieve the file via an HTTP request instead of retrieving it from disk? Sent you a message on twitter also if you prefer discussing there (@_atsika).

Hello,

Thanks for all your POCs. I'm interested in using process_ghosting to test some software. Would it be possible for you to add a license to this repo so that I don't run afoul of any copyright issues when modifying it, adding it to our test repository etc...

Many thanks.

I created a simple msfvenom 64 bit stageless payload, installed 2019 build of Windows 10 to test out process ghosting. I used your proc_ghost64.exe with the following command on win 10 VM

proc_ghost64.exe shell.exe new_shell.exe

And it crashes my windows 10 VM with the stopcode: SYSTEM_SERVICE_EXCEPTION

Help please. Thanks!

At main.cpp(27), you are calling NtOpenFile without SYNCHRONIZE and FILE_SYNCHRONOUS_IO_NONALERT flags. This means that the file is open/created for asynchronous access. Any read/write operation is pended, and may be completed asynchronously if the operating system decides to do so. Usually, it happens after reboot, when the file is not in the system cache.

Then, at main.cpp(59), you are calling NtWriteFile without waiting for the result.

TLDR: The Proof-of-concept will produce random results.

Hi, Is there any chance so that i can change the svchost.exe process creation so i can decide what name to use. And if you can tell me on what command line is the process created and change temp creation, for random file creation...

Hi im trying to use this "injector" but it creates a .tmp and that makes it really detectable im not sure if it is posible to make it so it stops creating the .tmp

Or if there is any way to edit it by myself so it doasent creates it, ik tried visual studio but it wont read the .exe

Hi,

I think this technique is being blocked by windows defender, even when it's disabled, and I'm not sure how. CreateRemoteThreadEx fails with 0xc0000022. I've confirmed it was working on windows 10 enterprise, with no defender installed.

Hi, Reflective loaders like Cobalt Strike's beacon or Metasploit's meterpreter don't callback home. Beacon seems alive but not calling back home. Also nothing on wireshark. Do you have an idea of why ? Thanks in advance

I have successfully made a build and used it to launch 64-Bit Payloads on x64. Is there any way to launch 32-Bit equivalents of these as well, using the 64-Bit version on x64?

Disclaimer: I am relatively new to C++, and would appreciate any help.

I created a reverse shell with msfvenom, precisely an exe file, but it won't fire:

'E:\process_ghosting-master\Debug>proc_ghost.exe msf_rev_https.exe
[+] Created temp file: C:\Users\fancy\AppData\Local\Temp\THCFE8.tmp [+] Information set [+] Written! PEB address: 2d7000 ImageBase address: 140000000 [+] Parameters mapped! PEB address: 2d7000 PEB address: 2d7000 ProcessParameters addr: 0000025FD11A8F30 [+] Process created! Pid = 31e0 EntryPoint at: 140004000 [+] Done!'

The process is created and disappears after a few seconds.

The file msf_rev_https.exe works fine btw.