Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/LloydLabs/process-enumeration-stealth
https://github.com/LloydLabs/process-enumeration-stealth
Last synced: about 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/LloydLabs/process-enumeration-stealth
- Owner: LloydLabs
- License: mit
- Created: 2021-08-05T15:30:32.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-08-26T23:27:47.000Z (5 months ago)
- Last Synced: 2024-11-11T19:11:30.965Z (2 months ago)
- Language: C
- Size: 12.7 KB
- Stars: 76
- Watchers: 5
- Forks: 12
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - LloydLabs/process-enumeration-stealth - (C)
README
# 🚴 process-enumeration-stealth
## What is this?
This is a simple PoC which allows you to return a list of PIDs currently using NTFS, by querying the `\ntfs\` base device (the Windows filesystem base object). Using this method circumvents the need to use typical APIs, such as `NtQuerySystemInformation` or the higher level `EnumProcesses`. Using this non-typical reconnaissance method could allow operators to evade typical monitoring on endpoints 🎉. Thank you to [Jonas Lyk](https://twitter.com/jonaslyk) for originally finding this trick.
## How does this work?
1. Get a handle to `\ntfs\` with `GENERIC_READ | SYNCHRONIZE`
2. Query the information with the `FileProcessIdsUsingFileInformation` class using the `NtQueryInformationFile` API
3. Walk over a `PFILE_PROCESS_IDS_USING_FILE_INFORMATION` list of process IDs
## Other
If you wish to contact me quicker, feel free to on [Twitter](https://twitter.com/LloydLabs) or [e-mail](mailto:[email protected]).