Skip to content

hasherezade/process_ghosting

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

img

img

 
 

.appveyor.yml

.appveyor.yml

 
 

CMakeLists.txt

CMakeLists.txt

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main.cpp

main.cpp

 
 

ntddk.h

ntddk.h

 
 

ntdll_types.h

ntdll_types.h

 
 

ntdll_undoc.cpp

ntdll_undoc.cpp

 
 

ntdll_undoc.h

ntdll_undoc.h

 
 

pe_hdrs_helper.cpp

pe_hdrs_helper.cpp

 
 

pe_hdrs_helper.h

pe_hdrs_helper.h

 
 

process_env.cpp

process_env.cpp

 
 

process_env.h

process_env.h

 
 

util.cpp

util.cpp

 
 

util.h

util.h

 
 

Repository files navigation

Process Ghosting

Build status

This is my implementation of the technique presented by Gabriel Landau:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Characteristics:

  • Memory artifacts as in Process Doppelgänging
  • Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
  • Sections mapped with original access rights (no RWX)
  • Payload connected to PEB as the main module
  • Remote injection supported (but only into a newly created process)
  • Process is created from an unnamed module (GetProcessImageFileName returns empty string)
WARNING:
The 32bit version works on 32bit system only.

About

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Topics

pefile pe-injector pe-injection

Resources

Readme

License

MIT license
Activity

Stars

597 stars

Watchers

12 watching

Forks

114 forks
Report repository

Releases 1

1.0 Latest
Aug 19, 2021

Packages

No packages published

Languages