https://github.com/hasherezade/process_ghosting/blob/master/process_env.cpp#L63

If the address (second parameter of VirtualAllocEx) is invalid，maybe is conflict or is not aligned, the actual address of allocated buffer will be returned by VirtualAllocEx.

In my code, it won’t work without address relocation processing, because almost every time the actual assigned address is not the origin one submitted by me.

I wonder why your code works without processing this case (Actually, it works well).

Hello,

Thanks for all your POCs. I'm interested in using process_ghosting to test some software. Would it be possible for you to add a license to this repo so that I don't run afoul of any copyright issues when modifying it, adding it to our test repository etc...

Many thanks.

Hi,
I'm trying to understand and reimplement your version of Process Ghosting but in Go. Would it be possible to retrieve the file via an HTTP request instead of retrieving it from disk?
Sent you a message on twitter also if you prefer discussing there (@_atsika).

At main.cpp(27), you are calling NtOpenFile without SYNCHRONIZE and FILE_SYNCHRONOUS_IO_NONALERT flags. This means that the file is open/created for asynchronous access. Any read/write operation is pended, and may be completed asynchronously if the operating system decides to do so. Usually, it happens after reboot, when the file is not in the system cache.

Then, at main.cpp(59), you are calling NtWriteFile without waiting for the result.

TLDR: The Proof-of-concept will produce random results.

Hi im trying to use this "injector" but it creates a .tmp and that makes it really detectable im not sure if it is posible to make it so it stops creating the .tmp

Or if there is any way to edit it by myself so it doasent creates it, ik tried visual studio but it wont read the .exe

Hi,

I think this technique is being blocked by windows defender, even when it's disabled, and I'm not sure how. CreateRemoteThreadEx fails with 0xc0000022. I've confirmed it was working on windows 10 enterprise, with no defender installed.

Hi,
Reflective loaders like Cobalt Strike's beacon or Metasploit's meterpreter don't callback home.
Beacon seems alive but not calling back home.

Also nothing on wireshark.
Do you have an idea of why ?
Thanks in advance

I created a reverse shell with msfvenom, precisely an exe file, but it won't fire:

'E:\process_ghosting-master\Debug>proc_ghost.exe msf_rev_https.exe
[+] Created temp file: C:\Users\fancy\AppData\Local\Temp\THCFE8.tmp
[+] Information set
[+] Written!
PEB address: 2d7000
ImageBase address: 140000000
[+] Parameters mapped!
PEB address: 2d7000
PEB address: 2d7000
ProcessParameters addr: 0000025FD11A8F30
[+] Process created! Pid = 31e0
EntryPoint at: 140004000
[+] Done!'

The process is created and disappears after a few seconds.

The file msf_rev_https.exe works fine btw.

I created a simple msfvenom 64 bit stageless payload, installed 2019 build of Windows 10 to test out process ghosting. I used your proc_ghost64.exe with the following command on win 10 VM

proc_ghost64.exe shell.exe new_shell.exe

And it crashes my windows 10 VM with the stopcode: SYSTEM_SERVICE_EXCEPTION

Help please. Thanks!

I have successfully made a build and used it to launch 64-Bit Payloads on x64. Is there any way to launch 32-Bit equivalents of these as well, using the 64-Bit version on x64?

Disclaimer: I am relatively new to C++, and would appreciate any help.

when i try to build the solution i get this any help please

Severity Code Description Project File Line Suppression State
Error LNK2019 unresolved external symbol "bool __cdecl buffer_remote_peb(void *,struct _PROCESS_BASIC_INFORMATION &,struct _PEB &)" (?buffer_remote_peb@@YA_NPAXAAU_PROCESS_BASIC_INFORMATION@@AAU_PEB@@@z) referenced in function "bool __cdecl process_ghost(wchar_t *,unsigned char *,unsigned long)" (?process_ghost@@YA_NPA_WPAEK@Z) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2019 unresolved external symbol "bool __cdecl setup_process_parameters(void *,struct _PROCESS_BASIC_INFORMATION &,wchar_t *)" (?setup_process_parameters@@YA_NPAXAAU_PROCESS_BASIC_INFORMATION@@PA_W@Z) referenced in function "bool __cdecl process_ghost(wchar_t *,unsigned char *,unsigned long)" (?process_ghost@@YA_NPA_WPAEK@Z) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2019 unresolved external symbol "unsigned long __cdecl get_entry_point_rva(unsigned char const *)" (?get_entry_point_rva@@YAKPBE@Z) referenced in function "bool __cdecl process_ghost(wchar_t *,unsigned char *,unsigned long)" (?process_ghost@@YA_NPA_WPAEK@Z) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2019 unresolved external symbol "unsigned char * __cdecl buffer_payload(wchar_t *,unsigned int &)" (?buffer_payload@@YAPAEPA_WAAI@Z) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2019 unresolved external symbol "void __cdecl free_buffer(unsigned char *,unsigned int)" (?free_buffer@@YAXPAEI@Z) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2019 unresolved external symbol "bool __cdecl get_calc_path(wchar_t ,unsigned long,bool)" (?get_calc_path@@YA_NPA_WK_N@Z) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2019 unresolved external symbol "bool __cdecl init_ntdll_func(void)" (?init_ntdll_func@@YA_NXZ) referenced in function _wmain WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2001 unresolved external symbol "long (__stdcall NtCreateProcessEx)(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,void *,unsigned long,void *,void *,void ,unsigned char)" (?NtCreateProcessEx@@3P6GJPAPAXKPAU_OBJECT_ATTRIBUTES@@PAXK222E@ZA) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2001 unresolved external symbol "long (__stdcall NtCreateThreadEx)(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,void *,void *,void *,unsigned long,unsigned long,unsigned long,unsigned long,void *)" (?NtCreateThreadEx@@3P6GJPAPAXKPAU_OBJECT_ATTRIBUTES@@PAX22KKKK2@ZA) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\WindowsProject4.obj 1
Error LNK2019 unresolved external symbol _WinMain@16 referenced in function "int __cdecl invoke_main(void)" (?invoke_main@@yahxz) WindowsProject4 C:\Users\aliendell\source\repos\gho\WindowsProject4\MSVCRTD.lib(exe_winmain.obj) 1
Error LNK1120 10 unresolved externals WindowsProject4 C:\Users\aliendell\source\repos\gho\Debug\WindowsProject4.exe 1

Hi, Is there any chance so that i can change the svchost.exe process creation so i can decide what name to use.
And if you can tell me on what command line is the process created and change temp creation, for random file creation...