Skip to content

/ metasploit-payloads

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for PPID spoofing #374

Open
wants to merge 1 commit into
base: master
from
Open

Add support for PPID spoofing #374

wants to merge 1 commit into from
+98 −20

Conversation

@phra
Copy link
Contributor

phra commented Dec 16, 2019

will fix #373
@phra
add support for PPID spoofing
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
b35cc0a 
fix #373
@phra phra mentioned this pull request Dec 17, 2019
Open
8 of 8 tasks complete
@bwatters-r7 bwatters-r7 self-assigned this Dec 27, 2019
@bwatters-r7
bwatters-r7 reviewed Dec 27, 2019
View changes
c/meterpreter/source/extensions/stdapi/server/sys/process/process.c
@@ -407,7 +480,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)

if (session_id(GetCurrentProcessId()) == session || !hWtsapi32)
{
if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, &si, &pi))
if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, (STARTUPINFOA*)&si, &pi))

This comment has been minimized.

Sign in to view
Copy link
@bwatters-r7

bwatters-r7 Dec 27, 2019

Contributor

Why cast this larger object to a smaller contained object rather than pass the smaller contained object in itself? To be more specific, why use this:
(STARTUPINFOA*)&si
When you're effectively passing in this:
si.StartupInfo
?
It will work because the first object in the STARTUPINFOEXA object is a STARTUPINFOA object, but it would seem to be better and more clear to just pass in the STARTUPINFOA object itself? Or am I missing something?

This comment has been minimized.

Sign in to view
Copy link
@phra

phra Jan 2, 2020
edited

Author Contributor

the manually declared _STARTUPINFOEXA extends the existing STARTUPINFOEXA by adding LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList since it's not available on win xp.
when i wrote the code, i thought to make explicit the fact that the struct is effectively casted down to STARTUPINFOA, but it gets interpreted as STARTUPINFOEXA when the flag EXTENDED_STARTUPINFO_PRESENT is specified.
it will work in both ways, maybe si.StartupInfo is more clear, but since the CreateProcess function can potentially access data outside si.StartupInfo i preferred to use an explicit cast. feel free to send a PR with the proposed change. 👍

This comment has been minimized.

Sign in to view
Copy link
@bwatters-r7

bwatters-r7 Jan 16, 2020

Contributor

Apologies for the long delay...
Wow.... I did not know about the EXTENDED_STARTUPINFO_PRESENT attribute bit. That's.... uh... certainly one way to overload a method, and I'm a little sad that's the route MS took on it. In light of that, what you have makes perfect sense, though it's necessity makes me sad.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7

Assignees

@bwatters-r7 bwatters-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@phra @bwatters-r7
You can’t perform that action at this time.