Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for PPID spoofing #374

Open
wants to merge 1 commit into
base: master
from
Open

Add support for PPID spoofing #374

wants to merge 1 commit into from

Conversation

@phra
Copy link
Contributor

phra commented Dec 16, 2019

will fix #373

fix #373
@phra phra mentioned this pull request Dec 17, 2019
8 of 8 tasks complete
@bwatters-r7 bwatters-r7 self-assigned this Dec 27, 2019
@@ -407,7 +480,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)

if (session_id(GetCurrentProcessId()) == session || !hWtsapi32)
{
if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, &si, &pi))
if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, (STARTUPINFOA*)&si, &pi))

This comment has been minimized.

Copy link
@bwatters-r7

bwatters-r7 Dec 27, 2019

Contributor

Why cast this larger object to a smaller contained object rather than pass the smaller contained object in itself? To be more specific, why use this:
(STARTUPINFOA*)&si
When you're effectively passing in this:
si.StartupInfo
?
It will work because the first object in the STARTUPINFOEXA object is a STARTUPINFOA object, but it would seem to be better and more clear to just pass in the STARTUPINFOA object itself? Or am I missing something?

This comment has been minimized.

Copy link
@phra

phra Jan 2, 2020

Author Contributor

the manually declared _STARTUPINFOEXA extends the existing STARTUPINFOEXA by adding LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList since it's not available on win xp.
when i wrote the code, i thought to make explicit the fact that the struct is effectively casted down to STARTUPINFOA, but it gets interpreted as STARTUPINFOEXA when the flag EXTENDED_STARTUPINFO_PRESENT is specified.
it will work in both ways, maybe si.StartupInfo is more clear, but since the CreateProcess function can potentially access data outside si.StartupInfo i preferred to use an explicit cast. feel free to send a PR with the proposed change. 👍

This comment has been minimized.

Copy link
@bwatters-r7

bwatters-r7 Jan 16, 2020

Contributor

Apologies for the long delay...
Wow.... I did not know about the EXTENDED_STARTUPINFO_PRESENT attribute bit. That's.... uh... certainly one way to overload a method, and I'm a little sad that's the route MS took on it. In light of that, what you have makes perfect sense, though it's necessity makes me sad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.