/SharpGhosting

Process Ghosting in C#

Primary LanguageC#BSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

SharpGhosting

Process Ghosting (x64 only) in C#

https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Compile options:

  1. Build the solution
  2. PS C:\> C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /out:SharpGhost.exe /unsafe C:\Path\to\SharpGhosting\*.cs
    • v4.0.30319's csc.exe also works for compiling

Usage:

-real: the exe you want executed [Required]
-fake: path to a file that doesn't exist (parent directory must exist though) [Optional]

PS C:\> .\Path\to\SharpGhosting.exe -real C:\windows\system32\cmd.exe
PS C:\> .\Path\to\SharpGhosting.exe -real C:\windows\system32\cmd.exe -fake C:\windows\temp\fakefile

Alt text

Super helpful projects: