在使用CreateProcess函数创建新进程时可以通过UpdateProcThreadAttribute( )函数人为修改STARTUPINFOEXA结构体的lpAttributeList成员变量值来指定子进程的父进程,具体代码如下:
#include#include int main(int argc, char* argv[]) { const char* l_szExePathA = "C:\windows\system32\calc.exe"; DWORD l_dwParentPid = 588; HANDLE l_hParentHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, l_dwParentPid); STARTUPINFOEXA si; ZeroMemory(&si, sizeof(si)); si.StartupInfo.cb = sizeof(si); SIZE_T sizeToAllocate = 0; InitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate); si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeToAllocate); InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate); // Set the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS option to specify the parent process to use if (!UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &l_hParentHandle, sizeof(HANDLE), NULL, NULL)) { printf("UpdateProcThreadAttribute failedn"); return 1; } PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); BOOL a=CreateProcessA(NULL,(LPSTR)l_szExePathA,NULL,NULL,TRUE,EXTENDED_STARTUPINFO_PRESENT|CREATE_NEW_CONSOLE,NULL,NULL,(LPSTARTUPINFOA)&si,&pi); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); DeleteProcThreadAttributeList(si.lpAttributeList); HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE,si.lpAttributeList); return 0; }
实际效果如下图。parent.exe(pid:3960)进程创建了calc.exe(pid:2276)进程,进程浏览器实际显示lsass.exe(pid:588)是父进程。
检测方法可以使用微软的事件追踪来确定是否使用了父进程欺骗。这里使用火眼在github上面的一个python3项目,具体代码如下:
import sys import time import etw def some_func(): # define capture provider info providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-Process', etw.GUID("{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}"))] # create instance of ETW class job = etw.ETW(providers=providers, event_callback=lambda x: print(x)) # start capture job.start() # wait some time time.sleep(10) # stop capture job.stop() def main(): f=open("D:\a","w") old=sys.stdout sys.stdout=f some_func() sys.stdout=old f.close() if __name__=="__main__": main()
打开输出结果文件,出现3个进程ID,分别是:
ProcessId:3960、ProcessID:2276、ParentProcessID:588
ProcessId:进程的实际父进程
ProcessId和ParentProcessID的进程ID不同,说明在创建calc.exe(pid:2276)进程时人为指定了其父进程。
结果如下:
参考地址https://www.anquanke.com/post/id/168618
https://blog.f-secure.com/detecting-parent-pid-spoofing/
https://github.com/fireeye/pywintrace
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)