Process Ghosting is a malware evasion technique where a file is created, marked for deletion, filled with target code, and then mapped into memory as an image section from which a new process is created. Once the process starts, the file is deleted, leaving no trace on disk, thus evading traditional file-based security checks. This method exploits the timing difference between process creation and security software's ability to detect and analyze new processes, allowing malware to execute without being easily detected by antivirus or EDR solutions that rely on file inspection or signatures.
For More information. Visit the implementation technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
- Fetch a PE payload. This module simplifies fetching the PE payload by reading it directly from disk. Ideally, encrypt the payload and store it in the resource section.
- Create an empty file on the disk. This module will create a .tmp file in the $env:TMP directory. This file will be overwritten with the PE payload at a later step.
- Create a ghost section from the temporary file. A ghost section is created by calling NtCreateSection to create a section from the delete-pending .tmp file. After closing the file handle, the file is deleted from the disk.
- Create a process from the ghost section. Use the ghost section to create a process by calling the NtCreateProcessEx syscall.
- Write the process parameters and the environment block manually. Write these to the created process.
- Fetch the PE payload's entry point and execute it. Fetch the entry point and execute it through new thread creation.
- https://github.com/hasherezade/process_ghosting.git
- https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
Implemented in Rust by @5mukx.