Giters

hasherezade / process_ghosting

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

In memory file

Atsika opened this issue · comments

commented

Hi,
I'm trying to understand and reimplement your version of Process Ghosting but in Go. Would it be possible to retrieve the file via an HTTP request instead of retrieving it from disk?
Sent you a message on twitter also if you prefer discussing there (@_atsika).

commented

Hi!
yes, sure it is possible. In the line where you buffer the payload:

process_ghosting/main.cpp

Line 217 in cc51f9c

BYTE* payladBuf = buffer_payload(payloadPath, payloadSize);

In this PoC the payload is read from the disk, but of course you can load it from any other data source, such as internal buffer, or a buffer retrieved from the internet. Just replace this function with your own.

commented

Thanks for your answer !
Indeed, I was able to retrieve same data as if it was on disk :)
Another thing, are process parameters (setup_process_parameters) essential to make it work ?

commented

@Atsika - yes. it is essential.

commented

May my program crash after thread creation because of this ? 🤔

commented

yes, if the parameters are not filled, or are filled improperly, the program will crash.