Light

kara-4search / peb-ppidspoofing_csharp Goto Github PK

View Code? Open in Web Editor NEW

25.0 1.0 9.0 2.24 MB

Command line & PPID spoofing

C# 100.00%

bypass sysmon csharp edr redteam pentest ppid avatar

peb-ppidspoofing_csharp's Introduction

PEB-PPIDspoofing_Csharp

Blog link:

part-1: https://mp.weixin.qq.com/s/oboW9ToiTUNfiOExHFrXXA
part-2: https://mp.weixin.qq.com/s/oFxkeR9gvHw26Z5-DijZ2w

Create a process with a fake PPID and a fake command line.
It a test version, only tested in Win10_x64.
The purpose is to bypass Sysmon and parent process detection
You are gonna need to change the PPID in the Main function, OR we could add a function(like a funciton call Find_explorer) to find a process's PID as a parent process. (Most of the time, we would choose explorer.exe).
~~I am gonna update the Find_explorer function and fix some bugs soon~~(DONE).
Importance! The Fake command line must be longer than the real one, but also there are some ideas to fix that(I am gonna talk about that in my blog), for now, you just need to remember The fake command line must be longer than the real one
It only works with x64, cause the offset different from x86, also maybe I am gonna update that too.
I updated the code, now it's gonna find "explorer" pid automaticlly, but also you could change explorer to other process name.
I have restructed the code, make it easy for understanding.
Feel free to make any issues and advises

Usage

Select a process pid as parent process pid.
Set the fake command line and the real command line.
Launch the assembly through a white list application.

To-Do list

~~Restructure PEB-PPIDspoofing_Csharp code.~~ - DONE

Update history

Find process's pid automaticlly - 20210804
Restructure code - 20210821
Fixed bugs: Line 175 in ProcessCreator.cs, NtWriteVirtualMemory with wrong args. - 20220105
Update blog link for PEB-PPIDspoofing - 20230415

Reference link

peb-ppidspoofing_csharp's People

Contributors

Stargazers

Watchers

Forkers

bigbrobro scriptidiot askyeye anti-ghosts noostudent nyx2022 sariohara

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.