TechByTom · June 1, 2019 23:37
diff --git a/process_spoof.c b/process_spoof.c
 /* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
 /* spoof.exe explorer.exe calc.exe */
 #include <windows.h>
 #include <tlhelp32.h>

 #define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000

 typedef struct _STARTUPINFOEX {
  STARTUPINFO                 StartupInfo;
  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
 } STARTUPINFOEX, *LPSTARTUPINFOEX;

 DWORD find_process_by_name(char *processname)
 {
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;
    DWORD result = NULL;

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (INVALID_HANDLE_VALUE == hProcessSnap) return(FALSE);

    pe32.dwSize = sizeof(PROCESSENTRY32);

    if (!Process32First(hProcessSnap, &pe32))
    {
        CloseHandle(hProcessSnap);
        return NULL;
    }
    do
    {
        if (0 == strcmp(processname, pe32.szExeFile))
        {
            result = pe32.th32ProcessID;
            break;
        }
    } while (Process32Next(hProcessSnap, &pe32));

    CloseHandle(hProcessSnap);

    return result;
 }

 void spoof_parent(char * parent, char * child)
 {
        STARTUPINFO si;
        STARTUPINFOEX six;
        PROCESS_INFORMATION pi;
        int attrsize = 0;

        ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
        ZeroMemory(&si, sizeof(STARTUPINFO));
        ZeroMemory(&six, sizeof(STARTUPINFOEX));

        InitializeProcThreadAttributeList(NULL, 1, 0, &attrsize);

        PPROC_THREAD_ATTRIBUTE_LIST pAttrList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrsize);

        if(!pAttrList)
        {
                printf("[!] pAttrList initializing error 0x%x\n", GetLastError());
                return;
        }

        if(!InitializeProcThreadAttributeList(pAttrList, 1, 0, &attrsize))
        {
                printf("[!] InitializeProcthreadAttributeList() error 0x%x\n", GetLastError());
                DeleteProcThreadAttributeList(pAttrList);
                return;
        }

        DWORD dwProcessId = find_process_by_name(parent);

        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);

        if(!UpdateProcThreadAttribute(pAttrList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProcess, sizeof(HANDLE), NULL, NULL))
        {
                printf("[!] UpdateProcThreadAttribute() error 0x%x\n", GetLastError());
                DeleteProcThreadAttributeList(pAttrList);
                CloseHandle(hProcess);
                return;
        }

        six.lpAttributeList = pAttrList;

        if(!CreateProcessA(NULL, child, NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &six.StartupInfo, &pi))
        {
                printf("[!] CreateProcessA() error 0x%x\n", GetLastError());
                DeleteProcThreadAttributeList(pAttrList);
                CloseHandle(hProcess);
                return;
        }

        printf("[*] process %s spawned -> pid %i with parent %s\n", child, pi.dwProcessId, parent);
        DeleteProcThreadAttributeList(pAttrList);
        CloseHandle(hProcess);
 }

 int main(int argc, char **argv)
 {
 	spoof_parent(argv[1], argv[2]);
 	return 0;
 }
	/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
	/* spoof.exe explorer.exe calc.exe */
	#include <windows.h>
	#include <tlhelp32.h>

	#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000

	typedef struct _STARTUPINFOEX {
	STARTUPINFO StartupInfo;
	LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
	} STARTUPINFOEX, *LPSTARTUPINFOEX;

	DWORD find_process_by_name(char *processname)
	{
	HANDLE hProcessSnap;
	PROCESSENTRY32 pe32;
	DWORD result = NULL;

	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (INVALID_HANDLE_VALUE == hProcessSnap) return(FALSE);

	pe32.dwSize = sizeof(PROCESSENTRY32);

	if (!Process32First(hProcessSnap, &pe32))
	{
	CloseHandle(hProcessSnap);
	return NULL;
	}
	do
	{
	if (0 == strcmp(processname, pe32.szExeFile))
	{
	result = pe32.th32ProcessID;
	break;
	}
	} while (Process32Next(hProcessSnap, &pe32));

	CloseHandle(hProcessSnap);

	return result;
	}

	void spoof_parent(char * parent, char * child)
	{
	STARTUPINFO si;
	STARTUPINFOEX six;
	PROCESS_INFORMATION pi;
	int attrsize = 0;

	ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
	ZeroMemory(&si, sizeof(STARTUPINFO));
	ZeroMemory(&six, sizeof(STARTUPINFOEX));

	InitializeProcThreadAttributeList(NULL, 1, 0, &attrsize);

	PPROC_THREAD_ATTRIBUTE_LIST pAttrList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrsize);

	if(!pAttrList)
	{
	printf("[!] pAttrList initializing error 0x%x\n", GetLastError());
	return;
	}

	if(!InitializeProcThreadAttributeList(pAttrList, 1, 0, &attrsize))
	{
	printf("[!] InitializeProcthreadAttributeList() error 0x%x\n", GetLastError());
	DeleteProcThreadAttributeList(pAttrList);
	return;
	}

	DWORD dwProcessId = find_process_by_name(parent);

	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);

	if(!UpdateProcThreadAttribute(pAttrList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProcess, sizeof(HANDLE), NULL, NULL))
	{
	printf("[!] UpdateProcThreadAttribute() error 0x%x\n", GetLastError());
	DeleteProcThreadAttributeList(pAttrList);
	CloseHandle(hProcess);
	return;
	}

	six.lpAttributeList = pAttrList;

	if(!CreateProcessA(NULL, child, NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &six.StartupInfo, &pi))
	{
	printf("[!] CreateProcessA() error 0x%x\n", GetLastError());
	DeleteProcThreadAttributeList(pAttrList);
	CloseHandle(hProcess);
	return;
	}

	printf("[*] process %s spawned -> pid %i with parent %s\n", child, pi.dwProcessId, parent);
	DeleteProcThreadAttributeList(pAttrList);
	CloseHandle(hProcess);
	}

	int main(int argc, char **argv)
	{
	spoof_parent(argv[1], argv[2]);
	return 0;
	}