
Process Ghosting
Created the Wednesday 16 June 2021. Updated 1 year, 11 months ago.
Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded.
Windows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with FILE_WRITE_DATA
(to modify it) will fail with ERROR_SHARING_VIOLATION
. Deletion attempts via FILE_DELETE_ON_CLOSE
/FILE_FLAG_DELETE_ON_CLOSE
fail with ERROR_SHARING_VIOLATION
. NtSetInformationFile
(FileDispositionInformation
) requires the DELETE
access right. Even though the DELETE
access right is granted to files mapped to image sections, NtSetInformationFile
(FileDispositionInformation
) fails with STATUS_CANNOT_DELETE
. Deletion attempts via FILE_SUPERCEDE
/CREATE_ALWAYS
fail with ACCESS_DENIED
.
An important note, however, is that this deletion restriction only comes into effect once the executable is mapped into an image section. This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section. This is Process Ghosting.
The attack flow is:
- Create a file
- Put the file into a delete-pending state using
NtSetInformationFile
(FileDispositionInformation). Note: Attempting to useFILE_DELETE_ON_CLOSE
instead will not delete the file. - Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
- Create an image section for the file.
- Close the delete-pending handle, deleting the file.
- Create a process using the image section.
- Assign process arguments and environment variables.
- Create a thread to execute in the process.
Technique Identifier
Contributors
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.