Crashes my Windows 10 VM
harshitrajpal opened this issue · comments
I created a simple msfvenom 64 bit stageless payload, installed 2019 build of Windows 10 to test out process ghosting. I used your proc_ghost64.exe with the following command on win 10 VM
proc_ghost64.exe shell.exe new_shell.exe
And it crashes my windows 10 VM with the stopcode: SYSTEM_SERVICE_EXCEPTION
Help please. Thanks!
@harshitrajpal : I guess this is the same error as here: Wra7h/SharpGhosting#1 ?
The immediate issue is this:
CONTEXT: ffffc480abca2810 -- (.cxr 0xffffc480abca2810)
rax=0000000000000200 rbx=00000000000000a0 rcx=0000000000000000
rdx=ffff878029c42080 rsi=ffff878029c42080 rdi=0000000000000000
rip=fffff803770d3c58 rsp=ffffc480abca3210 rbp=ffffc480abca3310
r8=ffffae0bfacd406f r9=ffffae0bfacd4060 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=ffff878029c42080
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!PspInitializeFullProcessImageName+0x3c:
fffff803`770d3c58 488b81a8000000 mov rax,qword ptr [rcx+0A8h] ds:002b:00000000`000000a8=????????????????
I didn't check it in details yet, but by the quick glance it seems some of the versions of Windows don't do the check if the pointer to the path is not NULL (therefore it crashes on invalid pointer).
So the error comes from one of the characteristics of Process Ghosting:
- Process is created from an unnamed module (
GetProcessImageFileName
returns empty string)
I don't think it can be helped, because in this method the process is created from a manually loaded section, and the path is not preserved. So the process runs with no ImageFileName (set to NULL) - and it cannot be changed manually.
Some time ago I made a hybrid of Process Ghosting with Process Hollowing, which allows to avoid this and other limitations of this technique. Check out the Ghostly Hollowing: https://github.com/hasherezade/transacted_hollowing/blob/main/README.md#ghostly-hollowing