Posted on by

GhostStrike: Open source ethical hacking tool

GhostStrike: Open source ethical hacking tool

GhostStrike is an advanced open source cybersecurity tool tailored for ethical hacking and red team operations. It incorporates cutting-edge techniques, including process hollowing, to stealthily evade detection on Windows systems, making it an asset for penetration testing and security assessments.

“I decided to develop this tool to reproduce one of the most commonly used process injection techniques in attacks, specifically process hollowing. My goal was to demonstrate how implants generated by Sliver C2 can be obfuscated to connect to the Command and Control (C2) server without being detected by system defense mechanisms. Of course, the behavior becomes noticeable at some point. However, an attacker must gain access to an organization to cause irreversible and irreparable damage, especially when it comes to data exfiltration,” GhostStrike creator Stiven Mayorga told Help Net Security.

GhostStrike Features

  • Dynamic API resolution: Uses a custom hash-based method to dynamically resolve Windows APIs, avoiding detection by signature-based security tools.
  • Base64 encoding/decoding: Encodes and decodes shellcode to obscure its presence in memory, making it difficult to detect by static analysis tools.
  • Generation of cryptographic keys: Generates secure cryptographic keys using the Windows cryptography APIs to encrypt and decrypt shellcode, adding an additional layer of protection.
  • XOR encryption/decryption: Simple but effective XOR-based encryption to protect shellcode during the injection process.
  • Flattening the flow of control: Implements control flow reduction to obscure the execution path, making analysis difficult by static and dynamic analysis tools.
  • Process hollowing: Injects encrypted shellcode into a legitimate Windows process and allows it to run covertly without arousing suspicion.

“GhostStrike enables the injection of malicious Sliver code into various Windows processes. In this demonstration, the injection was performed within explorer.exe because it is a process that appears legitimate to the user as it helps Windows present the operating system’s graphical user interface. However, with some code changes it can also be inserted into other processes. Additionally, no administrative privileges are required to run this program,” Mayorga added.

Future plans and download

“In the future, I plan to develop demonstrations with other widely used command and control frameworks such as Cobalt Strike, Havoc, Covenant and Empire,” Mayorga said.

GhostStrike is available for free on GitHub.

Must Read: