Skip to content

manthanghasadiya/ghostmove

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ghostmove.py
ghostmove.py
 
 

Repository files navigation

👻 Ghostmove

Zero-dependency cross-platform mouse control using native OS APIs

A lightweight post-exploitation research tool for testing endpoint detection and response (EDR) capabilities against dependency-free payloads.

Platform Python Dependencies License

🎯 Overview

Ghostmove provides programmatic mouse control across Windows, Linux, and macOS without any external dependencies. Built using direct OS API bindings via Python's ctypes, this tool demonstrates how to interact with low-level system interfaces for red team operations.

Why This Exists

Traditional automation libraries (PyAutoGUI, pyautogui, etc.) require pip installation and create large dependency trees - easily detected by EDR solutions. This project explores minimal-footprint cursor control using only Python standard library + native OS APIs.

Use Cases:

  • Red Team: Post-exploitation persistence testing
  • Blue Team: Understanding evasion techniques for better detection
  • Research: EDR bypass methodology
  • Education: Learning OS API interaction

⚡ Features

Multi-Platform Support

  • Windows: Direct user32.dll bindings (SetCursorPos, GetCursorPos)
  • Linux X11: libX11.so integration (XWarpPointer, XQueryPointer)
  • macOS: Quartz/CoreGraphics (CGEventCreateMouseEvent)

Movement Patterns

  • jitter - Random micro-movements (simulates hardware glitch)
  • drift - Slow movement toward screen corners
  • circle - Circular motion patterns
  • evasion - Cursor jumps away when user moves it
  • drunk - Wobbly, erratic movements
  • gravity - Constant pull toward screen center
  • chaos - Randomly switches between all patterns

Zero Dependencies

  • Pure Python 3.7+ (no pip install required)
  • Works with standard library only
  • Entire payload: ~15KB
  • Runs in restricted/air-gapped environments

🚀 Quick Start

Installation

git clone https://github.com/YOUR_USERNAME/phantom-cursor.git
cd phantom-cursor

No pip install needed!

Basic Usage

# Random jitter for 60 seconds
python phantom_cursor.py --mode jitter --duration 60

# Drift to bottom-right corner
python phantom_cursor.py --mode drift --duration 30

# Evasion mode (cursor runs from user)
python phantom_cursor.py --mode evasion --duration 120

# Chaos mode (random patterns)
python phantom_cursor.py --mode chaos --duration 60

Programmatic Usage

from phantom_cursor import get_cursor_controller

# Get platform-appropriate controller
cursor = get_cursor_controller()

# Move to absolute position
cursor.move_to(500, 300)

# Move relative to current position
cursor.move_relative(10, -20)

# Get current position
x, y = cursor.get_position()

# Get screen dimensions
width, height = cursor.get_screen_size()

🛡️ Detection & Evasion

What EDR Solutions See

Traditional automation (PyAutoGUI):

Process: python.exe
Loaded modules: pyautogui.pyd, PIL.pyd, numpy.pyd, ...
Signature: Known automation library
Detection: ✅ Flagged immediately

Ghostmove:

Process: python.exe
Loaded modules: ctypes (standard library)
Signature: Direct OS API calls (legitimate use)
Detection: ⚠️ Requires behavioral analysis

Defensive Perspective

Blue team should monitor:

  • Unusual cursor movement patterns (velocity, acceleration analysis)
  • Cursor activity when user input devices are idle
  • Process making excessive cursor API calls
  • Correlation with other suspicious behaviors

Detection strategies:

  • Behavioral analysis (movement pattern recognition)
  • User input device correlation (keyboard/mouse hardware events)
  • Process reputation and parent process analysis

📋 Technical Details

Windows Implementation

Uses ctypes.windll.user32:

  • SetCursorPos(x, y) - Absolute positioning
  • GetCursorPos(POINT*) - Current position
  • GetSystemMetrics() - Screen dimensions

Linux X11 Implementation

Uses libX11.so via ctypes:

  • XWarpPointer() - Cursor movement
  • XQueryPointer() - Position retrieval
  • XDisplayWidth/Height() - Screen size

macOS Implementation

Uses Quartz framework:

  • CGEventCreateMouseEvent() - Create mouse event
  • CGEventPost() - Post event to the system
  • CGEventGetLocation() - Get cursor position

⚠️ Disclaimer

FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY

This tool is provided for:

  • Security research
  • Authorized penetration testing
  • Educational purposes
  • Red team exercises with proper authorization

Unauthorized use is illegal and unethical.

Always obtain written permission before testing on systems you don't own.

🤝 Contributing

Contributions welcome! Areas for improvement:

  • Wayland support for modern Linux
  • Additional movement patterns
  • Stealth/evasion improvements
  • Detection bypass techniques
  • Performance optimizations

Contribution to: 100 Red Team Projects

📝 License

MIT License - See LICENSE file for details

👤 Author

Manthan Ghasadiya

📚 References

Built with ❤️ for the red team community

About

Zero-Dependency Cursor Manipulation for Red Team Operations

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages