Skip to content
/ GhostlyHollowingViaTamperedSyscalls Public

Implementing the ghostly hollowing PE injection technique using tampered syscalls.

License

MIT license
128 stars 26 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Maldev-Academy/GhostlyHollowingViaTamperedSyscalls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
GhostlyHollowingViaTamperedSyscalls
GhostlyHollowingViaTamperedSyscalls
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Ghostly Hollowing Via Tampered Syscalls

Quick Links

Maldev Academy Home

Maldev Academy Syllabus

Maldev Academy Pricing

Summary

This implementation utilizes two techniques covered in the recent updates to the Maldev Academy course:

Tampered Syscalls

  • All syscalls invoked in the implementation are called through the TAMPER_SYSCALL macro. This macro calls the StoreTamperedSyscallParms function to:

    • Determine the address of the syscall instruction within the NtQuerySecurityObject syscall stub (i.e. decoy syscall), and set a hardware breakpoint at this address.
    • Fetch the syscall number of the real invoked syscalls using the Sorting by System Call Address method introduced in SysWhispers2.
    • Save the invoked syscall's first four arguments.

  • When calling the TAMPER_SYSCALL macro, TAMPER_SYSCALL will spoof the invoked syscall's first four arguments with NULL values. Then it'll call the NtQuerySecurityObject syscall, triggering the breakpoint installed earlier.

  • We handle the raised exception by replacing the SSN of the decoy syscall (NtQuerySecurityObject) with the real invoked syscall (e.g. ZwAllocateVirtualMemory's SSN). Then we replace the spoofed arguments with the real ones. These steps are executed in the ExceptionHandlerCallbackRoutine VEH function.

Ghostly Hollowing

  1. Fetch the PE payload: The implementation fetches the PE payload (mimikatz.exe) from the disk. In an ideal situation, you should encrypt the payload and store it in the resource section.

  2. Create an empty file on the disk: Create a temporary file (.tmp) in the $env:TMP directory. This file will later be overwritten with the PE payload.

  3. Create a ghost section from the temporary file: A ghost section is created by calling ZwCreateSection to create a section from the delete-pending .tmp file, closing the file handle, and deleting the file from the disk.

  4. Create a remote process: Using the CreateProcess WinAPI, we create a remote process and map the ghost section to it.

  5. Patch the ImageBaseAddress: Patch the ImageBaseAddress element of the PEB structure to point to the mapped ghost section, and execute the PE payload's entry point via thread hijacking.

Demo

DEMO1

DEMO2

Demo.mp4

Related Maldev Academy Modules

About

Implementing the ghostly hollowing PE injection technique using tampered syscalls.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

128 stars

Watchers

4 watching

Forks

26 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages