Skip to content

fengjixuchui/NtCreateUserProcess-2

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

LICENSE.md

LICENSE.md

 
 

NtCreateUserProcess.sln

NtCreateUserProcess.sln

 
 

NtCreateUserProcess.vcxproj

NtCreateUserProcess.vcxproj

 
 

NtCreateUserProcess.vcxproj.user

NtCreateUserProcess.vcxproj.user

 
 

README.md

README.md

 
 

imports.h

imports.h

 
 

main.cpp

main.cpp

 
 

Repository files navigation

What is this?

This is a small PoC (Proof of concept) that invokes NtCreateUserProcess to spawn a Command prompt. This also showcases PPID* (Parent Process ID) spoofing, where the parent is not the creator.

* You must have a valid handle to the parent process.

What is NtCreateUserProcess?

NtCreateUserProcess is lowest level API that spawns processes. Every WINAPI calls this.

Call chain from APIs to NtCreateUserProcess

  • kernel32.dll!CreateProcess
    • CreateProcessInternalW
      • ntdll.dll!NtCreateUserProcess

  • ntdll.dll!RtlCreateUserProcessEx
    • RtlpCreateUserProcess
      • ntdll.dll!NtCreateUserProcess

Requirements

Visual Studio
x86 or x64 machine (ARM or ARM64 is not tested)

Remarks

This API function is very buggy on Windows 10, that's where most other PoCs fail. Especially when the executable is Win32 (x86).

License

Please consider checking out my library Windows-Native

About

A small NtCreateUserProcess PoC that spawns a Command prompt.

Resources

Readme

License

OSL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 80.1%
  • C++ 19.9%