Ghostly Hollowing Via Tampered Syscalls
Reupload Notice
Note
The original repository previously used an incorrect license that omitted attribution to the founder of DeceptIQ, @Rad9800, whose TamperingSyscalls repository is published under the MIT License. His work was already credited in the course module (Tampered Syscalls Via Hardware BreakPoints) and is also reflected in our public Third-Party Licenses Page.
Upon becoming aware of the omission, we promptly corrected the original repository and contacted Rad the same day to apologize for the oversight. Despite our best efforts to correct the unintended mistake, he did not reply and…
Ghostly Hollowing Via Tampered Syscalls
Reupload Notice
Note
The original repository previously used an incorrect license that omitted attribution to the founder of DeceptIQ, @Rad9800, whose TamperingSyscalls repository is published under the MIT License. His work was already credited in the course module (Tampered Syscalls Via Hardware BreakPoints) and is also reflected in our public Third-Party Licenses Page.
Upon becoming aware of the omission, we promptly corrected the original repository and contacted Rad the same day to apologize for the oversight. Despite our best efforts to correct the unintended mistake, he did not reply and blocked further communication, and we received a DMCA takedown notice five months later, resulting in the original repository being deleted.
Unfortunately, the bad faith escalation left us with no practical path to resolve the matter, so we have reuploaded the repository with the correct licensing and attribution in place.
Quick Links
Summary
This implementation utilizes two techniques covered in the recent updates to the Maldev Academy course:
Tampered Syscalls Via Hardware BreakPoints: Used to bypass userland hooks while simultaneously spoofing the invoked syscall’s arguments.
Ghostly Hollowing: A hybrid technique between Process Hollowing and Process Ghosting.
Tampered Syscalls
All syscalls invoked in the implementation are called through the TAMPER_SYSCALL macro. This macro calls the StoreTamperedSyscallParms function to:
- Determine the address of the
syscallinstruction within theNtQuerySecurityObjectsyscall stub (i.e. decoy syscall), and set a hardware breakpoint at this address. - Fetch the syscall number of the real invoked syscalls using the Sorting by System Call Address method introduced in SysWhispers2.
- Save the invoked syscall’s first four arguments.
When calling the TAMPER_SYSCALL macro, TAMPER_SYSCALL will spoof the invoked syscall’s first four arguments with NULL values. Then it’ll call the NtQuerySecurityObject syscall, triggering the breakpoint installed earlier.
We handle the raised exception by replacing the SSN of the decoy syscall (NtQuerySecurityObject) with the real invoked syscall (e.g. ZwAllocateVirtualMemory’s SSN). Then we replace the spoofed arguments with the real ones. These steps are executed in the ExceptionHandlerCallbackRoutine VEH function.
Ghostly Hollowing
Fetch the PE payload: The implementation fetches the PE payload (mimikatz.exe) from the disk. In an ideal situation, you should encrypt the payload and store it in the resource section.
1.
Create an empty file on the disk: Create a temporary file (.tmp) in the $env:TMP directory. This file will later be overwritten with the PE payload.
1.
Create a ghost section from the temporary file: A ghost section is created by calling ZwCreateSection to create a section from the delete-pending .tmp file, closing the file handle, and deleting the file from the disk.
1.
Create a remote process: Using the CreateProcess WinAPI, we create a remote process and map the ghost section to it.
1.
Patch the ImageBaseAddress: Patch the ImageBaseAddress element of the PEB structure to point to the mapped ghost section, and execute the PE payload’s entry point via thread hijacking.
Huge thanks to hasherezade for publishing Ghostly Hollowing and all her other interesting injection techniques.