This is my implementation of the technique presented by Gabriel Landau:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
- Memory artifacts as in Process Doppelgänging
- Payload mapped as
MEM_IMAGE(unnamed: not linked to any file) - Sections mapped with original access rights (no
RWX) - Payload connected to PEB as the main module
- Remote injection supported (but only into a newly created process)
- Process is created from an unnamed module (
GetProcessImageFileNamereturns empty string)
WARNING:
The 32bit version works on 32bit system only.