Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded.
Windows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with
FILE_WRITE_DATA (to modify it) will fail with
ERROR_SHARING_VIOLATION. Deletion attempts via
FILE_FLAG_DELETE_ON_CLOSE fail with
FileDispositionInformation) requires the
DELETE access right. Even though the
DELETE access right is granted to files mapped to image sections,
FileDispositionInformation) fails with
STATUS_CANNOT_DELETE. Deletion attempts via
CREATE_ALWAYS fail with
An important note, however, is that this deletion restriction only comes into effect once the executable is mapped into an image section. This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section. This is Process Ghosting.
The attack flow is:
- Create a file
- Put the file into a delete-pending state using
NtSetInformationFile(FileDispositionInformation). Note: Attempting to use
FILE_DELETE_ON_CLOSEinstead will not delete the file.
- Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
- Create an image section for the file.
- Close the delete-pending handle, deleting the file.
- Create a process using the image section.
- Assign process arguments and environment variables.
- Create a thread to execute in the process.