Process Ghosting Save

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Project README

Process Ghosting

This is my implementation of the technique presented by Gabriel Landau:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Characteristics:

Memory artifacts as in Process Doppelgänging
Payload mapped as MEM_IMAGE (unnamed: not linked to any file)
Sections mapped with original access rights (no RWX)
Payload connected to PEB as the main module
Remote injection supported (but only into a newly created process)
Process is created from an unnamed module (GetProcessImageFileName returns empty string)

WARNING:
The 32bit version works on 32bit system only.

Open Source Agenda is not affiliated with "Process Ghosting" Project. README Source: hasherezade/process_ghosting

Stars

597

Open Issues

Last Commit

1 month ago

Repository

hasherezade/process_ghosting

License

MIT

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/process-ghosting"><img src="https://www.opensourceagenda.com/projects/process-ghosting/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022