Threads and Phantom Injection

The ‘threads’ command returns all the running threads in the system and can be used to filter out threads that are already in an alertable state. The ‘phantom_thread’ command when combined with the ‘threads’ command can be extremely powerful to hide remote process injection traces in memory.

The ‘phantom_thread’ command uses a ROP gadget technique alongside context hijacking for alertable threads. The rop gadgets help to redirect the execution flow to originate from a legitimate region instead of directly from the RX region. However, the gadgets required for ROP, are found only in a few DLLs of windows. In case, if the required gadget is not found, then the ‘phantom_thread’ command falls back to perform hijacking of the thread, BUT without opening a handle to the target process which is still stealthier than most injection methods. This command uses indirect syscalls where required.

NOTE: Since this command requires an alertable thread, the operator needs to find a valid alertable thread which can be hijacked and alerted. C-Sharp process/Windows Apps cannot be hijacked.