Process Ghosting 👻

A new executable image tampering attack dubbed “Process Ghosting” that could be potentially abused by an attacker to circumvent protections and stealthily writing a piece of code in the disk and run malicious code on a Windows system.

Process Ghosting expands on endpoint bypass methods such as Process Doppelgänging and Process Herpaderping, thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection.

Process Doppelganging, analogous to Process Hollowing, involves injecting arbitrary code in the address space of a legitimate application’s live process that can then be executed from the trusted service.

Process Herpaderping, method to obscure the behavior of a running process by modifying the executable on disk after the image has been mapped in memory.

The evasion works because of “a gap between when a process is created and when security products are notified of its creation,” giving malware developers a window to tamper with the executable before security products can scan it.

Process Ghosting goes a step further from Doppelgänging and Herpaderping by making it possible to run executables that have already been deleted. It takes advantage of the fact that Windows’ attempts to prevent mapped executables from being modified or deleted only come into effect after the binary is mapped into an image section.

This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section, “This is Process Ghosting.”

A scenario were Windows Defender attempts to open a malicious payload executable to scan it, but fails to do so because the file is in a delete-pending state, and then fails again as the file is already deleted, thus allowing it to be executed unimpeded.