Ghosting Process

ProcessGhosting implemented in Rust with Better Err Handeling with Detailed logging.

Author: Whitecat18

GhostingProcess/Cargo.toml

@@ -0,0 +1,14 @@
+[package]
+name = "GhostingProcess"
+version = "0.1.0"
+edition = "2021"
+authors = ["5mukx", "[email protected]"]
+repository = "https://github.com/Whitecat18/Rust-for-Malware-Development"
+keywords = ["process-ghosting", "windows", "security", "research", "malware-development"]
+categories = ["development-tools", "os", "security"]
+license = "MIT"
+readme = "README.md"
+
+[dependencies]
+winapi = { version = "0.3.9", features = ["winuser", "fileapi", "errhandlingapi", "winbase", "memoryapi", "processenv", "userenv"] }
+ntapi = { version = "0.4.0" }

GhostingProcess/README.md

@@ -0,0 +1,11 @@
+## ProcessGhosting in Rust
+
+Process ghosting is an advanced technique used in Windows systems to create a new process in a way that hides or manipulates its presence from typical security tools or monitoring mechanisms. Imagine you’re playing a game of hide-and-seek with a computer’s security system. Normally, when a program (or process) starts, it creates a file on the disk, loads it into memory, and runs it, leaving traces that security software can easily detect. Process ghosting, however, tricks the system by using a special method: it creates a temporary file, marks it for deletion (so it’s not easily visible), writes the program’s code into this file, and then maps it directly into memory as a section without leaving a permanent file on the disk. This new process is then launched from this in-memory section, making it look like a "ghost" because it doesn’t have a clear file origin that traditional antivirus or monitoring tools can trace.
+
+### POC Image..
+
+![Ghost Process](./image.png)
+
+## Credits and Reference
+
+* https://github.com/hasherezade/process_ghosting.git