KingHamlet: Process Ghosting Tool

KingHamlet

Process Ghosting Tool – 64 bits Only!

King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack. (https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack)

Initially, you have to encrypt a file, which is later located on the system to be attacked, after, the tool is used to decrypt the file and create a process using the Process Ghosting technique; this allows to bypass a significant number of security solutions.

The attack flow is:

1. Create a file
2. Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation). Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.
3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
4. Create an image section for the file.
5. Close the delete-pending handle, deleting the file.
6. Create a process using the image section.
7. Assign process arguments and environment variables.
8. Create a thread to execute in the process.

Encrypt a File

• sourcefile.exe – File that is going to be encrypted – 64-bit executables only
• encryptkey – Key use to encrypt the file, 16 bytes top, otherwise it’s gonna be trim

Execute a file:

• sourcefile.exe – File encrypted, that is going to be executed
• encryptkey – Key use to decrypt the file
• targetfile.exe – File “created” temporarily for the process

Download

Copyright (C) 2021 IkerSaint