The Elastic Security team recently revealed a new technique for malware obfuscation and evasion called Process Ghosting, that allows tampering of in-memory mappings of executable files on Microsoft Windows.



The technique [1] is the evolution of already known attack methods such us as Process Doppelgänging and Process Herpaderping, and could potentially allow malware writers to bypass antivirus security systems.


How Windows processes works

A process is a dynamic entity loaded into memory (RAM), identified by a unique code called PID (Process IDentifier).
Usually, on Windows systems each process is associated with an executable .exe file stored on the hard drive.

To start a new process, the operating system needs to make a series of steps using certain API interfaces:

  1. open a handle for the executable to start
  2. create an image section for the file in memory
  3. create the process using the image section
  4. assign arguments and environment variables to process
  5. create a thread to run in the process


Executable tampering

Tampering with an executable before anti-malware products scans it would be possible during a timeframe between the time the process is created and the time when the security products they are "made aware" of its creation.

In fact, while Microsoft offers third-party security vendors the ability to register callbacks, they will not be invoked on processes creation, but only when the first threads within those processes will be created.


Process Ghosting

Process Ghosting, mainly based on Process Doppelgänging [2] and Process Herpaderping [3], allowing you to run a payload without the antivirus being able to detect it exploiting the fact that on the Windows operating system the executables can be modified or deleted only after the its binary has been mapped to an in-memory dump section.

With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).

As mentioned before, the possibility of deleting a file on Windows systems is only allowed when the executable is mapped into a memory section.

This means that the Process Ghosting technique would succeed in its malicious intent using the following attack flow:

  1. create a file
  2. mark it for deletion - this will inhibits dedetection
  3. write the payload executable to the file. The pending delete state blocks attempts to open and does not allow you to keep the contents of the file on disk
  4. map the malicious content of the file into a memory section
  5. close the file handle to complete the deletion process
  6. create a process from the section by assigning arguments and environment variables
  7. create the thread to execute process, in fileless mode

So, a malware would be able to evade the security tools because any antivirus callbacks will be invoked only after the file has been deleted and the relative thread has been created, because the antivirus can't open a file before completion of deletion (STATUS_DELETE_PENDING), but also it can't open the file after deletion (STATUS_FILE_DELETE).


The PoC


In a PoC video, researchers detailed a typical scenario where Windows Defender tries to open a malicious payload to scan it, but fails to do so because the file is in a deleted state at first and then fails to do so again since the file has already been deleted, allowing to run it.


Is there a patch?

Elastic Security reseacrher reported the problem to the Microsoft Security Response Center (MSRC), providing also the source code for the PoC. However, Microsoft have considered that the problem is not critical and the release of a patch is not essential.


References

  1. What you need to know about Process Ghosting, a new executable image tampering attack
  2. Process Doppelgänging: a more stealth alternative of the process hollowing technique?
  3. Process Herpaderping