hasherezade / process_ghosting

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
MIT License
631 stars 113 forks source link

Reflective Loader as payload #6

Open Atsika opened 3 years ago

Atsika commented 3 years ago

Hi, Reflective loaders like Cobalt Strike's beacon or Metasploit's meterpreter don't callback home. Beacon seems alive but not calling back home. image Also nothing on wireshark. Do you have an idea of why ? Thanks in advance

hasherezade commented 3 years ago

Hi, I see that the error was on referencing the token? I think the reason is the parameters that are passed to the newly created process are incomplete. Some of the components are not filled: https://github.com/hasherezade/process_ghosting/blob/cc51f9cd5a68b077f2f24861f313a9306fbf0c7c/process_env.cpp#L139-L151 This is because the PoC is not finished, I added only those components that were essential for making the process run. It will be fixed in the future, as mentioned here: https://github.com/hasherezade/process_ghosting/issues/2

Atsika commented 3 years ago

I understand now. How can I try to find missing parameters ?

hasherezade commented 3 years ago

The problem is, it is not that easy. By parameters I mean not just some particular values, but structures that have to be initialized in a proper way, and filled manually. It will require some research about how those parameters are set in the original process creation. And it is not documented, so it will take some digging. It is on my TODO, but I currently have some more urgent work.

hasherezade commented 3 years ago

For now what I can offer you is trying a similar method, which does not require it: transacted_hollowing. Please let me know if it works for you (it should).

Atsika commented 3 years ago

Alright, I got you. Since process is created using CreateProcessInternalW most of the process parameters and environment are set. I'll give it a try. Thanks for your help.