PPID Spoofing
What is PPID Spoofing ?
PPID (Parent Process ID) Spoofing is a technique used by red team operators to alter the Parent Process ID of a process, thereby concealing its true origin or avoiding detection. Typically, a process's Parent Process ID reveals which process initiated it. By modifying this ID, malicious software can impersonate being started by a legitimate process (such as explorer.exe) rather than its actual malicious origin. Hence, PPID Spoofing attacks can be considered as leveraging vulnerabilities in the Kernel Driver.
Purpose and Principle
By default, most programs that require user interaction are launched by explorer.exe. For example, when we create a new text document on the desktop and then open it with Notepad, the process is as shown in the following illustration:
Process Explorer or Process Hacker can be used to observe the relationships between processes in this scenario.
You can clearly see the parent-child relationship: explorer.exe -> Notepad.exe.
However, with the following code, we can make Notepad.exe appear as if it was created by Discord.exe (PID: 19100).
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>
int main()
{
STARTUPINFOEXA si;
PROCESS_INFORMATION pi;
SIZE_T attributeSize;
ZeroMemory(&si, sizeof(STARTUPINFOEXA));
// To modify the PID here
HANDLE parentProcessHandle = OpenProcess(MAXIMUM_ALLOWED, false, 19100);
InitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);
si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attributeSize);
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attributeSize);
UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
return 0;
}
The key function here is CreateProcessA.
What is CreateProcessA ?
CreateProcessA is generally used to create new processes, and by default, it will use the inherited parent to create the process. For example, if opened through cmd, its parent is cmd. However, this function also supports a parameter called lpStartupInfo, where you can customize its parent process.
[in] lpStartupInfo
A pointer to a STARTUPINFO or STARTUPINFOEX structure.
To set extended attributes, use a STARTUPINFOEX structure and specify EXTENDED_STARTUPINFO_PRESENT in the dwCreationFlags parameter.
Handles in STARTUPINFO or STARTUPINFOEX must be closed with CloseHandle when they are no longer needed.
The STARTUPINFOEX structure contains an lpAttributeList.
lpAttributeList
An attribute list. This list is created by the InitializeProcThreadAttributeList function.
The documentation notes that to add attributes to the list, you need to call the UpdateProcThreadAttribute function.
An attribute parameter called Attribute.
The PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute is used to set the parent process of a new process.
Use Cobalt Strike’s Office macro to generate a Word document, and the victim opens the document, it establishes a connection.
The example shows that there is a rundll32.exe under word.exe.
Therefore, PPID Spoofing is designed to evade detection based on the parent-child process relationship.