How To Modify ImagePathName Inside PEB of Current Process in C++ or C#

Question

How To Modify ImagePathName Inside PEB of Current Process in C++ or C#

I'm playing with the code from this site which is meant to modify the ImagePathName and CommandLine fields of the PEB as shown here:

process explorer that custom code has path set to c:\windows\system32\notepad.exe

The code didn't work out of the box for me so I made some small changes and this is what I'm working with:

//https://ired.team/offensive-security-experiments/masquerading-processes-in-userland-through-_peb
#include "stdafx.h"
#include "Windows.h"
#include "winternl.h"
#include <iostream>
using namespace std;

typedef NTSTATUS(__stdcall *MYPROC) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

int main() {
    HANDLE h = GetCurrentProcess();
    PROCESS_BASIC_INFORMATION ProcessInformation;
    ULONG length = 0;
    HINSTANCE ntdll;
    MYPROC GetProcessInformation;
    wchar_t commandline[] = L"C:\\windows\\system32\\notepad.exe";
    ntdll = LoadLibrary(TEXT("Ntdll.dll"));

    // resolve address of NtQueryInformationProcess in ntdll.dll
    GetProcessInformation = (MYPROC)GetProcAddress(ntdll, "NtQueryInformationProcess");

    //get _PEB object
    (GetProcessInformation)(h, ProcessBasicInformation, &ProcessInformation, sizeof(ProcessInformation), &length);

    // print commandline and imagepathname
    wprintf(L"ImagePathName is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->ImagePathName.Buffer);
    wprintf(L"CommandLine is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->CommandLine.Buffer);

    // replace commandline and imagepathname
    ProcessInformation.PebBaseAddress->ProcessParameters->ImagePathName.Buffer = commandline;
    ProcessInformation.PebBaseAddress->ProcessParameters->CommandLine.Buffer = commandline;

    // print commandline and imagepathname
    wprintf(L"ImagePathName is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->ImagePathName.Buffer);
    wprintf(L"CommandLine is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->CommandLine.Buffer);

    system("PAUSE");

    return 0;
}

When I run this on my Windows 7 machine I get the following output:

ImagePathName is: E:\zonealarm\pebmasquerade\Debug\pebmasquerade.exe
CommandLine is: "E:\zonealarm\pebmasquerade\Debug\pebmasquerade.exe"
ImagePathName is: C:\windows\system32\notepad.exe
CommandLine is: C:\windows\system32\notepad.exe

This looks good, but then in Process Explorer the CommandLine is C:\windows\system32\notepad.exe but the path reads [The system cannot find the file specified.]

I haven't been able to figure out why and the ImagePathName is what actually matters for me.

Thanks!

Edit:

I checked in windbg and the fields are set as expected. So maybe Process Explorer reads something else to get the path?

0:001> dt _peb @$peb
ntdll!_PEB
   ...
   +0x010 ProcessParameters : 0x00531fd8 _RTL_USER_PROCESS_PARAMETERS
   ...
0:001> dt _RTL_USER_PROCESS_PARAMETERS 0x00000000`00531fd8
ntdll!_RTL_USER_PROCESS_PARAMETERS
   ...
   +0x038 ImagePathName    : _UNICODE_STRING "C:\windows\system32\notepad.exe"
   +0x040 CommandLine      : _UNICODE_STRING "C:\windows\system32\notepad.exe"
   ...

c++

exploit

asked on Stack Overflow Feb 1, 2019 by

muffin • edited Feb 1, 2019 by

muffin

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0