Modify the parent process of the target process

 

Source: http://pjf.blogone.net
Author: pjf (jfpan20000@sina.com)
Let the younger brother test the 1.06 process rules. He tried to ask: "Why are there two Source Processes and parent processes? It is not the process that creates the target process. Doesn't it mean it ?"
Because it is very simple, slightly answered a bit, because many days did not add something on the http://pjf.blogone.net, knocked down to fill, a little embarrassed.
In Windows, the parent process does not refer to the source process for creating the target, but to the object "inherited" by the quilt process and many important domains of the child process, like quotablock, devicemap, sessionid, Token, and process address space all inherit from the parent process. How is the parent process specified? Both ntcreateprocess and ntcreateprocessex have a parentprocess handle indicating who the parent process is. It does not require the parent process to be the current process, although createprocessw always does. Therefore, there is a distinction between "Source Process and parent process.
So how does one implement the parent process instead of the current process? Gary nebbett gave a code N years ago and posted it as follows:

The following is the program code:

# DEFINE _ Win32 _
# Include <stdio. h>
# Include <windows. h>

Extern "C "{
# Define ntapi _ stdcall
Typedef struct _ peb * ppeb;
# Define page_size 0x1000
Typedef long ntstatus;
# Define declspec_import _ declspec (dllimport)
# Define ntsysapi declspec_import
Typedef struct _ client_id {
Handle uniqueprocess;
Handle uniquethread;
} Client_id;
Typedef client_id * pclient_id;
Typedef struct _ port_message {
Ushort datasize;
Ushort messagesize;
Ushort messagetype;
Ushort virtualrangesoffset;
Client_id clientid;
Ulong messageid;
Ulong sectionsize;
// Uchar data [];
} Port_message, * pport_message;
Typedef struct _ unicode_string {
Ushort length;
Ushort maximumlength;
# Ifdef midl_pass
[Size_is (maximumlength/2), length_is (length)/2)] ushort * buffer;
# Else // midl_pass
Pwstr buffer;
# Endif // midl_pass
} Unicode_string;
Typedef unicode_string * punicode_string;
Typedef struct _ process_parameters {
Ulong allocationsize;
Ulong size;
Ulong flags;
Ulong zero;
Long console;
Ulong processgroup;
Handle hstdinput;
Handle hstdoutput;
Handle hstderror;
Unicode_string currentdirectoryname;
Handle currentdirectoryhandle;
Unicode_string dllpath;
Unicode_string imagefile;
Unicode_string CommandLine;
Pwstr environment;
Ulong dwx;
Ulong dwy;
Ulong dwxsize;
Ulong dwysize;
Ulong dwxcountchars;
Ulong dwycountchars;
Ulong dwfillattribute;
Ulong dwflags;
Ulong wshowwindow;
Unicode_string windowtitle;
Unicode_string desktop;
Unicode_string reserved;
Unicode_string reserved2;
} Process_parameters, * pprocess_parameters;
# Define obj_inherit 0x00000002l
# Define obj_permanent 0x00000010l
# Define obj_exclusive 0x00000020l
# Define obj_case_insensitive 0x00000040l
# Define obj_openif 0x00000080l
# Define obj_openlink 0x00000100l
# Define obj_kernel_handle 0x00000200l
# Define obj_valid_attributes 0x000003f2l
Typedef struct _ object_attributes {
Ulong length;
Handle rootdirectory;
Punicode_string objectname;
Ulong attributes;
Pvoid securitydescriptor; // points to type security_descriptor
Pvoid securityqualityofservice; // points to type security_quality_of_service
} Object_attributes;
Typedef object_attributes * pobject_attributes;
Typedef unsigned long ulong_ptr, * pulong_ptr;
Typedef struct _ io_status_block {
Union {
Ntstatus status;
Pvoid pointer;
};
Ulong_ptr information;
} Io_status_block, * pio_status_block;
# Define file_synchronous_io_nonalert 0x00000020
Typedef struct _ section_image_information {// Information Class 1
Pvoid entrypoint;
Ulong unknown1;
Ulong stackreserve;
Ulong stackcommit;
Ulong subsystem;
Ushort minorsubsystemversion;
Ushort majorsubsystemversion;
Ulong unknown2;
Ulong characteristics;
Ushort imagenumber;
Boolean executable;
Uchar unknown3;
Ulong unknown4 [3];
} Section_image_information, * psection_image_information;
Typedef Enum _ section_information_class {
Sectionbasicinformation,
Sectionimageinformation
} Section_information_class;
Typedef struct _ user_stack {
Pvoid fixedstackbase;
Pvoid fixedstacklimit;
Pvoid expandablestackbase;
Pvoid expandablestacklimit;
Pvoid expandablestackbottom;
} User_stack, * puser_stack;
Typedef long kpriority;
Typedef struct _ process_basic_information {
Ntstatus exitstatus;
Ppeb pebbaseaddress;
Ulong_ptr affinitymask;
Kpriority basepriority;
Ulong_ptr uniqueprocessid;
Ulong_ptr inheritedfromuniqueprocessid;
} Process_basic_information;
Typedef process_basic_information * pprocess_basic_information;
Typedef Enum _ processinfoclass {
Processbasicinformation,
Processquotalimits,
Processiocounters,
Processvmcounters,
Processtimes,
Processbasepriority,
Processraisepriority,
Processdebugport,
Processexceptionport,
Processaccesstoken,
Processldtinformation,
Processldtsize,
Processdefaultharderrormode,
Processioporthandlers, // Note: This is kernel mode only
Processpooledusageandlimits,
Processworkingsetwatch,
Processusermodeiopl,
Processenablealignmentfaultfixup,
Processpriorityclass,
Processwx86information,
Processhandlecount,
Processaffinitymask,
Processpriorityboost,
Processdevicemap,
Processsessioninformation,
Processforegroundinformation,
Processwow64information,
Maxprocessinfoclass
} Processinfoclass;
# Define initializeobjectattributes (p, N, A, R, S ){/
(P)-> length = sizeof (object_attributes );/
(P)-> rootdirectory = r ;/
(P)-> attributes = ;/
(P)-> objectname = N ;/
(P)-> securitydescriptor = s ;/
(P)-> securityqualityofservice = NULL ;/
}
# Define file_open 0x00000001
# Define directory_query (0x0001)
Ntstatus
Ntapi
Csrclientcallserver (
In pvoid message,
In pvoid,
In ulong opcode,
In ulong size );
Ntsysapi
Ntstatus
Ntapi
Zwallocatevirtualmemory (
In handle processhandle,
In out pvoid * baseaddress,
In ulong zerobits,
In out Pulong allocationsize,
In ulong allocationtype,
In ulong protect );
Ntsysapi
Ntstatus
Ntapi
Zwwritevirtualmemory (
In handle processhandle,
In pvoid baseaddress,
In pvoid buffer,
In ulong bufferlength,
Out Pulong returnlength optional );
Ntstatus
Ntapi
Rtlcreateprocessparameters (
Out pprocess_parameters * processparameters,
In punicode_string imagefile,
In punicode_string dllpath optional,
In punicode_string currentdirectory optional,
In punicode_string CommandLine optional,
In ulong creationflags,
In punicode_string windowtitle optional,
In punicode_string desktop optional,
In punicode_string reserved optional,
In punicode_string reserved2 optional );
Ntstatus
Ntapi
Rtldestroyprocessparameters (
In pprocess_parameters processparameters );
Ntsysapi
Ntstatus
Ntapi
Zwopenfile (
Out phandle filehandle,
In access_mask desiredaccess,
In pobject_attributes objectattributes,
Out pio_status_block iostatusblock,
In ulong internal access,
In ulong openoptions );

Ntsysapi
Ntstatus
Ntapi
Zwdeletefile (
In pobject_attributes objectattributes );
Ntsysapi
Ntstatus
Ntapi
Zwcreatesection (
Out phandle sectionhandle,
In access_mask desiredaccess,
In pobject_attributes objectattributes,
In plarge_integer sectionsize optional,
In ulong protect,
In ulong attributes,
In handle filehandle );
Ntsysapi
Ntstatus
Ntapi
Zwclose (
In handle );
Ntsysapi
Ntstatus
Ntapi
Zwcreateprocess (
Out phandle processhandle,
In access_mask desiredaccess,
In pobject_attributes objectattributes,
In handle inheritfromprocesshandle,
In Boolean inherithandles,
In handle sectionhandle optional,
In handle debugport optional,
In handle exceptionport optional );
# Define ntcurrentprocess () (handle)-1)
Ntsysapi
Ntstatus
Ntapi
Zwquerysection (
In handle sectionhandle,
In section_information_class sectioninformationclass,
Out pvoid sectioninformation,
In ulong sectioninformationlength,
Out Pulong resultlength optional );
Ntsysapi
Ntstatus
Ntapi
Zwprotectvirtualmemory (
In handle processhandle,
In out pvoid * baseaddress,
In out Pulong protectsize,
In ulong newprotect,
Out Pulong oldprotect );
Ntsysapi
Ntstatus
Ntapi
Zwcreatethread (
Out phandle threadhandle,
In access_mask desiredaccess,
In pobject_attributes objectattributes,
In handle processhandle,
Out pclient_id clientid,
In pcontext threadcontext,
In puser_stack userstack,
In Boolean createsuincluded );
Ntsysapi
Ntstatus
Ntapi
Zwqueryinformationprocess (
In handle processhandle,
In processinfoclass processinformationclass,
Out pvoid processinformation,
In ulong processinformationlength,
Out Pulong returnlength optional );
Ntsysapi
Ntstatus
Ntapi
Zwresumethread (
In handle threadhandle,
Out Pulong previussuspendcount optional );
Ntsysapi
Void
Ntapi
Rtlinitunicodestring (
Punicode_string destinationstring,
Pcwstr sourcestring );
Ntsysapi
Ntstatus
Ntapi
Zwcreatefile (
Out phandle filehandle,
In access_mask desiredaccess,
In pobject_attributes objectattributes,
Out pio_status_block iostatusblock,
In plarge_integer allocationsize optional,
In ulong fileattributes,
In ulong internal access,
In ulong createdisposition,
In ulong createoptions,
In pvoid eabuffer optional,
In ulong ealength );
}

Void informcsrss (handle hprocess, handle hthread, ulong PID, ulong tid)
{
Struct csrss_message {
Ulong unknown1;
Ulong opcode;
Ulong status;
Ulong unknown2;
};

Struct {
Port_message portmessage;
Csrss_message csrssmessage;
Process_information processinformation;
Client_id debugger;
Ulong creationflags;
Ulong vdminfo [2];
} Csrmsg = {0}, {0}, {hprocess, hthread, PID, tid}, {0}, 0, {0 }};

Csrclientcallserver (& csrmsg, 0, 0x10000, 0x24 );
}

Pwstr copyenvironment (handle hprocess)
{
Pwstr Env = getenvironmentstringsw ();

Ulong N;
For (n = 0; ENV [N]! = 0; n + = wcslen (ENV + n) + 1); N * = sizeof * env;

Ulong M = N;
Pvoid p = 0;
Zwallocatevirtualmemory (hprocess, & P, 0, & M, mem_commit, page_readwrite );

Zwwritevirtualmemory (hprocess, P, ENV, N, 0 );

Return pwstr (P );
}

Void createprocessparameters (handle hprocess, ppeb peb, punicode_string imagefile)
{
Pprocess_parameters pp;

Rtlcreateprocessparameters (& PP, imagefile, 0, 0, 0, 0, 0, 0 );

PP-> environment = copyenvironment (hprocess );

Ulong n = PP-> size;
Pvoid p = 0;
Zwallocatevirtualmemory (hprocess, & P, 0, & N, mem_commit, page_readwrite );

Zwwritevirtualmemory (hprocess, P, PP, PP-> size, 0 );

Zwwritevirtualmemory (hprocess, pchar (peb) + 0x10, & P, sizeof P, 0 );

Rtldestroyprocessparameters (PP );
}

Int exec (punicode_string name, pwstr PARAM)
{
Pwstr TMP;
Handle hprocess, hthread, hsection, hfile;
Object_attributes OA;
Rtlzeromemory (& OA, sizeof (object_attributes ));
Initializeobjectattributes (& OA, name, obj_case_insensitive, 0, null );
Io_status_block iosb;
Zwopenfile (& hfile, file_read_data | file_execute | synchronize, & OA, & iosb,
File_assist_read, file_synchronous_io_nonalert );

Oa. objectname = 0;

Zwcreatesection (& hsection, section_all_access, 0, 0, page_execute, sec_image, hfile );

Zwclose (hfile );

Handle hepatitis = OpenProcess (process_all_access, 0, wcstol (Param, & TMP, 10 ));

Zwcreateprocess (& hprocess, process_all_access, 0,
Hepatitis, true, hsection, 0, 0 );

Closehandle (hepatitis B );

Section_image_information ⅱ;
Zwquerysection (hsection, sectionimageinformation, & ⅱ, sizeof ⅱ, 0 );

Zwclose (hsection );

User_stack stack = {0 };

Ulong n = ⅱ. stackreserve;
Zwallocatevirtualmemory (hprocess, & stack. expandablestackbottom, 0, & N,
Mem_reserve, page_readwrite );

Stack. expandablestackbase = pchar (stack. expandablestackbottom) + ⅱ. stackreserve;
Stack. expandablestacklimit = pchar (stack. expandablestackbase)-ⅱ. stackcommit;

N = ⅱ. stackcommit + page_size;
Pvoid P = pchar (stack. expandablestackbase)-N;
Zwallocatevirtualmemory (hprocess, & P, 0, & N, mem_commit, page_readwrite );

Ulong X; n = page_size;
Zwprotectvirtualmemory (hprocess, & P, & N, page_readwrite | page_guard, & X );

Context context = {context_full };
Context. seggs = 0;
Context. segfs = 0x38;
Context. seges = 0x20;
Context. segds = 0x20;
Context. segss = 0x20;
Context. segcs = 0x18;
Context. eflags = 0x3000;
Context. ESP = ulong (stack. expandablestackbase)-4;
Context. EIP = ulong (ⅱ. entrypoint );

Client_id CID;

Zwcreatethread (& hthread, thread_all_access, 0, hprocess, & cid, & context, & stack, true );

Process_basic_information PBI;
Zwqueryinformationprocess (hprocess, procw.asicinformation, & PBI, sizeof PBI, 0 );

Createprocessparameters (hprocess, PBI. pebbaseaddress, name );

Informcsrss (hprocess, hthread, ulong (CID. uniqueprocess), ulong (CID. uniquethread ));

Zwresumethread (hthread, 0 );

Zwclose (hprocess );
Zwclose (hthread );

Return int (CID. uniqueprocess );
}

Extern "C"
Int wmain (INT argc, wchar_t * argv [])
{
Unicode_string imagefile;
Rtlinitunicodestring (& imagefile, argv [1]);

Exec (& imagefile, argv [2]);

Return 0;
}

Usage: For ppp.exe after compilation, Run "C: root directory" qqq.exe" with PPP. Set "parent path" to "assumer.exe", and" PID "of" assumer.exe "***. On the console, enter:
Ppp.exe /?? /C:/qqq.exe ***
Use other tools to check the parent process of qqq.exe, instead of PPP, but explorer. At the time of creation, inheritedfromuniqueprocessid in eprocess of qqq.exe has been set as the PID of explorer, and the query through zwquery *** returns inheritedfromuniqueprocessid.
Not all pe-format applications can be loaded using the above program. modify it as needed.

What is the purpose? It mainly refers to demonstration and some minor functions, for example, when debugging other processes, modify the parent process to Explorer instead of preventing the parent process from being queried by yourself (the simplest way is to get rid of zwcreateprocess parameters through hook.