process_ghosting
process_ghosting copied to clipboard

Published 20 hours ago •

→

Metadata

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Readme
Issues

Process Ghosting

This is my implementation of the technique presented by Gabriel Landau:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Characteristics:

Memory artifacts as in Process Doppelgänging
Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
Sections mapped with original access rights (no RWX)
Payload connected to PEB as the main module
Remote injection supported (but only into a newly created process)
Process is created from an unnamed module (GetProcessImageFileName returns empty string)

WARNING:
The 32bit version works on 32bit system only.

About

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

pe-injector

pefile

pe-injection

605

Stars

113

Forks

Watchers

Owner

hasherezade

← Metadata

605

Stars

113

Forks

Watchers

Owner

hasherezade

Metadata

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Back

process_ghosting process_ghosting copied to clipboard

Metadata

Process Ghosting

Characteristics:

← Metadata

Owner

Metadata

process_ghosting
process_ghosting copied to clipboard