1 | 1 | | # GhostInjector |
2 | 2 | | |
| 3 | + | proof of concept dll injector which injects without a process handle, and with a thread handle instead |
| 4 | + | with the power of Get/SetThreadContext, and some gadgets, you are able to call functions and write to another process |
| 5 | + | |
3 | 6 | | |
4 | 7 | | https://github.com/li4321/GhostInjector/assets/148918162/3081eb05-40fb-4c04-83c0-fd327c8cedd0 |
5 | 8 | | |
6 | 9 | | |
| 10 | + | (!! there is a really weird problem in the program which I do not know how to fix, sometimes it works, sometimes it crashes) |
| 11 | + | (for some reason, if you place a breakpoint at line 176 in ghostwrite.cpp, and then remove it and continue once hit, the problem will not occur) |
| 12 | + | ```c++ |
| 13 | + | // mov qword ptr [rdx], rax |
| 14 | + | // ret |
| 15 | + | ctx.Rdx = addr; |
| 16 | + | ctx.Rax = value; |
| 17 | + | ctx.Rip = writeGadgetAddr; // <-- place breakpoint here |
| 18 | + | ctx.Rsp = jmp0StackAddr; // jmp 0 --> infinite loop |
| 19 | + | ``` |
| 20 | + | |
| 21 | + | |
| 22 | + | resources which made this possible: |
| 23 | + | https://github.com/c0de90e7/GhostWriting/blob/master/gw_ng.c |
| 24 | + | https://blog.sevagas.com/IMG/pdf/code_injection_series_part5.pdf |
| 25 | + | |