process_ghosting icon indicating copy to clipboard operation
process_ghosting copied to clipboard
verified publisher icon hasherezade

.tmp created

Open Jaimebuu opened this issue 3 years ago • 3 comments

Hi im trying to use this "injector" but it creates a .tmp and that makes it really detectable im not sure if it is posible to make it so it stops creating the .tmp

Or if there is any way to edit it by myself so it doasent creates it, ik tried visual studio but it wont read the .exe

Jaimebuu avatar Oct 01 '22 15:10 Jaimebuu

hi! please read the original description of this technique at: https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack This step is necessary for this technique:

description

The created .tmp file is in the delete-pending state, which prevents the file from being opened by the external processes, including anti-malware scanners.

hasherezade avatar Oct 01 '22 23:10 hasherezade

oh ok is there any alternative of process_ghosting that doasent require the .tmp?

Jaimebuu avatar Oct 02 '22 09:10 Jaimebuu

yes, Process Doppelgänging (https://github.com/hasherezade/process_doppelganging) is very similar, but instead of the delete-pending file it uses a file within a transaction.

You can also have a look at my other repositories with process impersonation techniques: https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10 - maybe you will find something that fits you.

hasherezade avatar Oct 02 '22 10:10 hasherezade