https://github.com/evilbytecode/ppid-spoofing

Parent Process ID Spoofing, coded in CGo.
https://github.com/evilbytecode/ppid-spoofing

Last synced: 3 months ago
JSON representation

Parent Process ID Spoofing, coded in CGo.

• Host: GitHub
• URL: https://github.com/evilbytecode/ppid-spoofing
• Owner: EvilBytecode
• Created: 2024-06-19T08:04:07.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-06-27T06:44:05.000Z (12 months ago)
• Last Synced: 2025-03-26T08:37:31.826Z (3 months ago)
• Language: Go
• Size: 3.91 KB
• Stars: 22
• Watchers: 1
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Parent PID spoofing



- This is a simple method to bypass malicious behavior detections based on parent-child process relationship. Usually when an application starts another executable, the new process has a parent PID assigned which indicates the process that created it. This allows to detect and possibly block malicious intents like for example ```Word/Excel``` application starting ```Powershell```. This technique may be combined with for example process hollowing to achieve more stealth.

- The great thing is that ```CreateProcess``` API lets you provide additional information for process creation, including the one called ```PROC_THREAD_ATTRIBUTE_PARENT_PROCESS```. Let’s see how to use it - we will create a ```Notepad``` process in a way that it will look like it was spawned by ```explorer.exe```