GhostStrike: Open-source tool for ethical hacking
GhostStrike is an open-source, advanced cybersecurity tool tailored for ethical hacking and Red Team operations. It incorporates cutting-edge techniques, including process hollowing, to stealthily evade detection on Windows systems, making it an asset for penetration testing and security assessments.
“I decided to develop this tool to replicate one of the most commonly utilized process injection techniques employed in attacks, specifically process hollowing. My objective was to demonstrate how implants generated by Sliver C2 can be obfuscated to establish a connection with the command and control (C2) server without being detected by system defense mechanisms. Naturally, at some point, the behavior will become detectable. However, an attacker needs to gain access to a company to inflict irreversible and irreparable damage, especially when discussing data exfiltration,” Stiven Mayorga, the creator of GhostStrike, told Help Net Security.
GhostStrike features
- Dynamic API resolution: Utilizes a custom hash-based method to dynamically resolve Windows APIs, avoiding detection by signature-based security tools.
- Base64 encoding/decoding: Encodes and decodes shellcode to obscure its presence in memory, making it more difficult for static analysis tools to detect.
- Cryptographic key generation: Generates secure cryptographic keys using Windows Cryptography APIs to encrypt and decrypt shellcode, adding an extra layer of protection.
- XOR encryption/decryption: Simple but effective XOR-based encryption to protect the shellcode during its injection process.
- Control flow flattening: Implements control flow flattening to obfuscate the execution path, complicating analysis by both static and dynamic analysis tools.
- Process hollowing: Injects encrypted shellcode into a legitimate Windows process, allowing it to execute covertly without raising suspicions.
“GhostStrike enables the injection of malicious Sliver code into various Windows processes. In this demonstration, the injection was performed within explorer.exe because it is a process that appears legitimate to the user, as it supports Windows in presenting the operating system’s graphical user interface. However, with some code modification, it can be injected into other processes as well. Additionally, this program does not require administrative privileges to execute,” Mayorga added.
Future plans and download
“In the future, I plan to develop demonstrations featuring other widely used command and control frameworks such as Cobalt Strike, Havoc, Covenant, and Empire,” Mayorga said.
GhostStrike is available for free on GitHub.
Must read:
- 33 open-source cybersecurity solutions you didn’t know you needed
- 20 free cybersecurity tools you might have missed
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time