KingHamlet: Process Ghosting Tool
Process Ghosting Tool – 64 bits Only!
King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack. (https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack)
Initially, you have to encrypt a file, which is later located on the system to be attacked, after, the tool is used to decrypt the file and create a process using the Process Ghosting technique; this allows to bypass a significant number of security solutions.
The attack flow is:
- Create a file
- Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation). Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.
- Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
- Create an image section for the file.
- Close the delete-pending handle, deleting the file.
- Create a process using the image section.
- Assign process arguments and environment variables.
- Create a thread to execute in the process.
Encrypt a File
- sourcefile.exe – File that is going to be encrypted – 64-bit executables only
- encryptkey – Key use to encrypt the file, 16 bytes top, otherwise it’s gonna be trim
Execute a file:
- sourcefile.exe – File encrypted, that is going to be executed
- encryptkey – Key use to decrypt the file
- targetfile.exe – File “created” temporarily for the process
Copyright (C) 2021 IkerSaint