• Process Ghosting exploits the delay between process creation and thread notification, enabling pre‑scan tampering. • Attack writes malware to disk, deletes it, yet execution continues as if file existed. • Unlike Process Doppelgänging, it avoids code injection, hollowing, or TxF, using native Windows APIs. • Security vendors rely on PsSetCreateProcessNotifyRoutineEx callbacks, which trigger on first thread creation, not process start. • The technique creates a window where anti‑malware scanners miss the malicious image before execution. • Defenders should monitor early thread creation events and validate executable integrity before execution.
Article Summaries:
- Process Ghosting: a new executable image tampering technique
Security researchers have identified “Process Ghosting,” a Windows attack that exploits the gap between a process’s creation and the notification callbacks (PsSetCreateProcessNotifyRoutineEx) that security products rely on. Unlike Process Doppelgänging or Herpaderping, this method does not use code injection, process hollowing, or Transactional NTFS. Instead, an attacker writes malware to disk, modifies the executable’s image section in memory, then deletes the file on disk. The process continues to run the deleted code as if it were a legitimate file, evading scans and deletion. The technique highlights a critical window in the Windows process‑launch pipeline that defenders must address.
Sources: