SharpGhosting

Process Ghosting (x64 only) in C#

https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

Compile options:

Build the solution
PS C:\> C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /out:SharpGhost.exe /unsafe C:\Path\to\SharpGhosting\*.cs
- v4.0.30319's csc.exe also works for compiling

Usage:

-real: the exe you want executed [Required]
-fake: path to a file that doesn't exist (parent directory must exist though) [Optional]

PS C:\> .\Path\to\SharpGhosting.exe -real C:\windows\system32\cmd.exe
PS C:\> .\Path\to\SharpGhosting.exe -real C:\windows\system32\cmd.exe -fake C:\windows\temp\fakefile

Super helpful projects:

https://github.com/hasherezade/process_ghosting
https://github.com/aaaddress1/PR0CESS/tree/main/miniGhosting
https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

SharpGhosting

Compile options:

Usage:

Super helpful projects:

Files

README.md

Latest commit

History

README.md

File metadata and controls

SharpGhosting

Compile options:

Usage:

Super helpful projects: