.tmp created
Jaimebuu opened this issue · comments
Hi im trying to use this "injector" but it creates a .tmp and that makes it really detectable im not sure if it is posible to make it so it stops creating the .tmp
Or if there is any way to edit it by myself so it doasent creates it, ik tried visual studio but it wont read the .exe
hi! please read the original description of this technique at: https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
This step is necessary for this technique:
The created .tmp file is in the delete-pending state, which prevents the file from being opened by the external processes, including anti-malware scanners.
oh ok is there any alternative of process_ghosting that doasent require the .tmp?
yes, Process Doppelgänging (https://github.com/hasherezade/process_doppelganging) is very similar, but instead of the delete-pending file it uses a file within a transaction.
You can also have a look at my other repositories with process impersonation techniques: https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10 - maybe you will find something that fits you.