| 1 | 1 | | # GhostInjector |
| 2 | 2 | | |
| | 3 | + | proof of concept dll injector which injects without a process handle, and with a thread handle instead |
| | 4 | + | with the power of Get/SetThreadContext, and some gadgets, you are able to call functions and write to another process |
| | 5 | + | |
| 3 | 6 | | |
| 4 | 7 | | https://github.com/li4321/GhostInjector/assets/148918162/3081eb05-40fb-4c04-83c0-fd327c8cedd0 |
| 5 | 8 | | |
| 6 | 9 | | |
| | 10 | + | (!! there is a really weird problem in the program which I do not know how to fix, sometimes it works, sometimes it crashes) |
| | 11 | + | (for some reason, if you place a breakpoint at line 176 in ghostwrite.cpp, and then remove it and continue once hit, the problem will not occur) |
| | 12 | + | ```c++ |
| | 13 | + | // mov qword ptr [rdx], rax |
| | 14 | + | // ret |
| | 15 | + | ctx.Rdx = addr; |
| | 16 | + | ctx.Rax = value; |
| | 17 | + | ctx.Rip = writeGadgetAddr; // <-- place breakpoint here |
| | 18 | + | ctx.Rsp = jmp0StackAddr; // jmp 0 --> infinite loop |
| | 19 | + | ``` |
| | 20 | + | |
| | 21 | + | |
| | 22 | + | resources which made this possible: |
| | 23 | + | https://github.com/c0de90e7/GhostWriting/blob/master/gw_ng.c |
| | 24 | + | https://blog.sevagas.com/IMG/pdf/code_injection_series_part5.pdf |
| | 25 | + | |
