process_ghosting icon indicating copy to clipboard operation
process_ghosting copied to clipboard
verified publisher icon hasherezade

32 Bit Payloads on 64 Bit Systems.

Open Providence47 opened this issue 4 years ago • 5 comments

I have successfully made a build and used it to launch 64-Bit Payloads on x64. Is there any way to launch 32-Bit equivalents of these as well, using the 64-Bit version on x64?

Disclaimer: I am relatively new to C++, and would appreciate any help.

Providence47 avatar Aug 09 '21 13:08 Providence47

Hi, I guess you wish to use 32-bit payloads on 64 bit system? Currently it is not supported (it should be feasible to implement, but it is gonna be tedious, because it will require much more parameters to be filled in manually). Maybe one day I will add it.

For now I recommend you to try another loader that support such injections, which is very similar to Process Ghosting: https://github.com/hasherezade/transacted_hollowing

hasherezade avatar Aug 10 '21 01:08 hasherezade

Thank you for your response.

From https://github.com/hasherezade/transacted_hollowing : "64 bit payload -> 64 bit target 32 bit payload -> 32 bit target" Appear to be the supported injections for the 64-bit variant though. I'm uncertain, however, whether it's possible to use 32-bit payloads on 64-bit systems, I haven't been able to test that use-case yet.

Providence47 avatar Aug 12 '21 23:08 Providence47

I'm uncertain, however, whether it's possible to use 32-bit payloads on 64-bit systems

Yes. 32 bit executables are supported on 64 bit Windows via WoW64. In contrast to Process Ghosting/Doppelganging, Transacted Hollowing does not build the whole setup from the process for scratch, so it just uses default WoW64 support.

The loader's description just says, that the target application where you inject must have the same bitness as the payload. This is the only limitation in this variant (Transacted Hollowing).

hasherezade avatar Aug 16 '21 14:08 hasherezade

Thank you.

I have been trying transacted hollowing for the last few days though and am finding negligible success, unfortunately. I have been using a 'payload' that basically opens a plain window, and trying to inject it into random PEs like notepad.

I would greatly appreciate any recommendations on what the target applications should be, but I shall continue trying to learn with that clarification you just dealt me. My build was successful but for a second I was wondering whether the method still worked...

Providence47 avatar Aug 16 '21 22:08 Providence47

Can you share the exact scenario that resulted in a failure (OS, target, payload) so that I can reproduce it? Then I can help more. You can attach your payloads here (zipped) or you can send to my e-mail (hasherezade-at-pm.me).

hasherezade avatar Aug 16 '21 22:08 hasherezade