/process_ghosting

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Primary LanguageCMIT LicenseMIT

Process Ghosting

Build status

This is my implementation of the technique presented by Gabriel Landau:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Characteristics:

  • Memory artifacts as in Process Doppelgänging
  • Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
  • Sections mapped with original access rights (no RWX)
  • Payload connected to PEB as the main module
  • Remote injection supported (but only into a newly created process)
  • Process is created from an unnamed module (GetProcessImageFileName returns empty string)

WARNING:
The 32bit version works on 32bit system only.