Code Injection - Weaponize GhostWriting Injection
Code injection series part 5

Lets talk about this code injection technique called GhostWriting that works by manipulating the register states of the target process thread.

Article published on 2 September 2020

by Emeric Nasi


Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1.
License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I Introduction

Ghost writing is a technique which consists into injecting and running code in a remote process by manipulating the register states of one of its thread.
This technique allows us to apply code injection without opening the process or calling any of the classic functions involve into remote memory allocation or memory writing.

I haven’t found an implementation satisfying for 64bit code and generally the few existing implementation for 32bit only describe limited shellcode injection so I decided to implement my own version and write something about it.

If you wish to read more about this, the document can be downloaded in a PDF format