{"id":21525650,"url":"https://github.com/0xlane/ppspoofing","last_synced_at":"2025-07-19T08:12:13.711Z","repository":{"id":65572074,"uuid":"586709996","full_name":"0xlane/ppspoofing","owner":"0xlane","description":"Rust编写的父进程PID欺骗技术测试工具","archived":false,"fork":false,"pushed_at":"2023-01-09T07:56:26.000Z","size":523,"stargazers_count":53,"open_issues_count":0,"forks_count":12,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-24T01:12:09.229Z","etag":null,"topics":["ppid-spoofing","rust","windows"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xlane.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2023-01-09T03:06:53.000Z","updated_at":"2025-02-09T10:48:38.000Z","dependencies_parsed_at":"2023-02-08T09:15:36.294Z","dependency_job_id":null,"html_url":"https://github.com/0xlane/ppspoofing","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fppspoofing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fppspoofing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fppspoofing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xlane%2Fppspoofing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xlane","download_url":"https://codeload.github.com/0xlane/ppspoofing/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248126580,"owners_count":21051968,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ppid-spoofing","rust","windows"],"created_at":"2024-11-24T01:37:55.630Z","updated_at":"2025-04-09T23:22:24.063Z","avatar_url":"https://github.com/0xlane.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ppspoofing\n\n父进程 PID 伪造技术测试用，Rust 编写。\n\n## 使用方式\n\n```bash\ncargo build\ncargo run -- \u003cpid\u003e \u003ccommandline\u003e\n```\n\n在 `powershell` 可以这么用：\n\n```powershell\nppspoofing.exe (Get-Process -Name winlogon)[0].Id notepad.exe\n```\n\n![x](screenshot.png)\n\n## 利用原理\n\n1. 检查运行权限，尝试开启 DEBUG 权限，但实际上不是所有进程都需要这一步\n2. 通过 `OpenProcess` 获取到目标进程句柄，访问权限 `PROCESS_ALL_ACCESS`\n3. 创建 `STARTUPINFOEXA`，调用 `InitializeProcThreadAttributeList` 初始化\n4. 调用 `UpdateProcThreadAttribute` 将第一步获取的句柄值更新到 `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS`\n5. 调用 `CreateProcess` 创建进程，创建标志为 `CREATE_UNICODE_ENVIRONMENT | EXTENDED_STARTUPINFO_PRESENT`\n\n## 存在的问题\n\n1. 在第二步，administrator 用户也无法获取到所有访问权限的 PPL 进程，影响不大，怎么解决自己研究一下\n2. 某些进程作为父进程时，创建的 cmd.exe 进程会闪退，没查原因，创建 notepad.exe 就不会有问题\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xlane%2Fppspoofing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xlane%2Fppspoofing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xlane%2Fppspoofing/lists"}