Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hasherezade/process_ghosting

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
https://github.com/hasherezade/process_ghosting

pe-injection pe-injector pefile

Last synced: about 1 month ago
JSON representation

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Awesome Lists containing this project

README 

        
Process Ghosting

==========



[![Build status](https://ci.appveyor.com/api/projects/status/2nabj2ukws4ees0w?svg=true)](https://ci.appveyor.com/project/hasherezade/process-ghosting)



This is my implementation of the technique presented by [Gabriel Landau](https://twitter.com/GabrielLandau):


https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack



![](img/proc_ghost.png)



Characteristics:

-

+ Memory artifacts as in [Process Doppelgänging](https://github.com/hasherezade/process_doppelganging)

+ Payload mapped as `MEM_IMAGE` (unnamed: not linked to any file)

+ Sections mapped with original access rights (no `RWX`)

+ Payload connected to PEB as the main module

+ Remote injection supported (but only into a newly created process)

+ Process is created from an unnamed module (`GetProcessImageFileName` returns empty string)





WARNING: 


The 32bit version works on 32bit system only.