search

hasherezade / process_ghosting

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
MIT License
627 stars 114 forks source link

32 Bit Payloads on 64 Bit Systems. #4

Open Providence47 opened 3 years ago

Providence47 commented 3 years ago

I have successfully made a build and used it to launch 64-Bit Payloads on x64. Is there any way to launch 32-Bit equivalents of these as well, using the 64-Bit version on x64?

Disclaimer: I am relatively new to C++, and would appreciate any help.

hasherezade commented 3 years ago

Hi, I guess you wish to use 32-bit payloads on 64 bit system? Currently it is not supported (it should be feasible to implement, but it is gonna be tedious, because it will require much more parameters to be filled in manually). Maybe one day I will add it.

For now I recommend you to try another loader that support such injections, which is very similar to Process Ghosting: https://github.com/hasherezade/transacted_hollowing

Providence47 commented 3 years ago

Thank you for your response.

From https://github.com/hasherezade/transacted_hollowing : "64 bit payload -> 64 bit target 32 bit payload -> 32 bit target" Appear to be the supported injections for the 64-bit variant though. I'm uncertain, however, whether it's possible to use 32-bit payloads on 64-bit systems, I haven't been able to test that use-case yet.

hasherezade commented 3 years ago

I'm uncertain, however, whether it's possible to use 32-bit payloads on 64-bit systems

Yes. 32 bit executables are supported on 64 bit Windows via WoW64. In contrast to Process Ghosting/Doppelganging, Transacted Hollowing does not build the whole setup from the process for scratch, so it just uses default WoW64 support.

The loader's description just says, that the target application where you inject must have the same bitness as the payload. This is the only limitation in this variant (Transacted Hollowing).

Providence47 commented 3 years ago

Thank you.

I have been trying transacted hollowing for the last few days though and am finding negligible success, unfortunately. I have been using a 'payload' that basically opens a plain window, and trying to inject it into random PEs like notepad.

I would greatly appreciate any recommendations on what the target applications should be, but I shall continue trying to learn with that clarification you just dealt me. My build was successful but for a second I was wondering whether the method still worked...

hasherezade commented 3 years ago

Can you share the exact scenario that resulted in a failure (OS, target, payload) so that I can reproduce it? Then I can help more. You can attach your payloads here (zipped) or you can send to my e-mail (hasherezade-at-pm.me).