{"id":21525643,"url":"https://github.com/0xlane/process_ghosting","last_synced_at":"2025-04-09T23:22:19.574Z","repository":{"id":188108040,"uuid":"558754538","full_name":"0xlane/process_ghosting","owner":"0xlane","description":"ProcessGhosting 技术的 rust 实现版本","archived":false,"fork":false,"pushed_at":"2024-10-23T08:08:40.000Z","size":992,"stargazers_count":25,"open_issues_count":1,"forks_count":6,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T01:12:01.053Z","etag":null,"topics":["pe-injection","pe-injector","pefile","process-ghosting","process-injection","process-injector","rust","windows"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xlane.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2022-10-28T08:12:14.000Z","updated_at":"2025-02-28T11:59:32.000Z","dependencies_parsed_at":"2023-08-13T20:11:29.893Z","dependency_job_id":null,"html_url":"https://github.com/0xlane/process_ghosting","commit_stats":null,"previous_names":["0xlane/process_ghosting"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fprocess_ghosting","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fprocess_ghosting/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fprocess_ghosting/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fprocess_ghosting/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xlane","download_url":"https://codeload.github.com/0xlane/process_ghosting/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248126558,"owners_count":21051961,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pe-injection","pe-injector","pefile","process-ghosting","process-injection","process-injector","rust","windows"],"created_at":"2024-11-24T01:37:53.109Z","updated_at":"2025-04-09T23:22:19.513Z","avatar_url":"https://github.com/0xlane.png","language":"Rust","readme":"# Process Ghosting\n\n这个是根据 [hasherezade/process_ghosting](https://github.com/hasherezade/process_ghosting) 项目改的 rust 版本代码。\n\n## 编译方法\n\n```bash\ncargo build\n```\n\n## 使用方法\n\n```bash\nprocess_ghosting.exe \u003ctarget_path\u003e \u003cpayload_path\u003e\n```\n\n![x](./screenshot.png)\n\n## 技术原理\n\n参考：[https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack](https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack)\n\n大致利用步骤：\n\n1. 创建一个文件，需具有 DELETE 权限\n2. 调用 NtSetInformationFile 将 FILE_DISPOSITION_INFO 的 DeleteFile 设置为 TRUE\n3. 写恶意内容到该文件中，由于该文件当前是 delete-pending 状态，外部无法打开此文件\n4. 用这个文件创建一个 IMAGE 内存段\n5. 关闭文件句柄，该文件会被自动删除\n6. 使用 IMAGE 段创建进程，该进程磁盘上无文件对应\n7. 设置进程参数和环境变量信息\n8. 为这个进程创建一个线程执行恶意内容\n\n在最后一步的时候，会触发进程创建内核回调，进程在磁盘上无文件与之对应，可让一些静态检测引擎失效。\n\n该技术除了使用 delete_on_close 文件自删除机制之外，还需配合进程命令行参数伪造技术一起使用。\n\n## 遗留问题\n\n因为创建的进程属于无文件进程，在进程管理器里看着很怪异，暂时无法解决，不过单纯用来绕过静态进程文件扫描还是不错的。\n\n![x](images/2022-10-28_16-06-08.png)\n\n这个问题已经解决，解决过程：\n\n简单看了一下 windows 进程管理器获取进程名并不是通过 PEB，而是在进程创建时根据 section_handle 信息确定的，由于在原项目中创建进程的时候文件已经被删除，无法获取到文件信息导致进程名为空了，解决方法很简单，就是在创建进程之后再关闭文件句柄，但是这样子就可以查出来进程对应的具体文件路径，所以这里还是留空吧。\n\n![x](images/2022-10-31_11-47-21.png)\n\n可能 hasherezade 也觉得不满意，又结合 ProcessHollowing 技术写了个项目 [hasherezade/transacted_hollowing](https://github.com/hasherezade/transacted_hollowing) 解决了这个问题，她把 ProcessHollowing 和 ProcessGhosting 两个技术稍微结合了一下：参照 ProcessHollowing 技术先创建一个正常程序的挂起进程，然后使用 ProcessGhosting 里的方式制作一个无文件的 section，map 到目标进程中，再更新 PEB 后恢复线程即可。\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xlane%2Fprocess_ghosting","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xlane%2Fprocess_ghosting","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xlane%2Fprocess_ghosting/lists"}