I'm playing with the code from this site which is meant to modify the ImagePathName and CommandLine fields of the PEB as shown here:
process explorer that custom code has path set to c:\windows\system32\notepad.exe
The code didn't work out of the box for me so I made some small changes and this is what I'm working with:
//https://ired.team/offensive-security-experiments/masquerading-processes-in-userland-through-_peb
#include "stdafx.h"
#include "Windows.h"
#include "winternl.h"
#include <iostream>
using namespace std;
typedef NTSTATUS(__stdcall *MYPROC) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
int main() {
HANDLE h = GetCurrentProcess();
PROCESS_BASIC_INFORMATION ProcessInformation;
ULONG length = 0;
HINSTANCE ntdll;
MYPROC GetProcessInformation;
wchar_t commandline[] = L"C:\\windows\\system32\\notepad.exe";
ntdll = LoadLibrary(TEXT("Ntdll.dll"));
// resolve address of NtQueryInformationProcess in ntdll.dll
GetProcessInformation = (MYPROC)GetProcAddress(ntdll, "NtQueryInformationProcess");
//get _PEB object
(GetProcessInformation)(h, ProcessBasicInformation, &ProcessInformation, sizeof(ProcessInformation), &length);
// print commandline and imagepathname
wprintf(L"ImagePathName is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->ImagePathName.Buffer);
wprintf(L"CommandLine is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->CommandLine.Buffer);
// replace commandline and imagepathname
ProcessInformation.PebBaseAddress->ProcessParameters->ImagePathName.Buffer = commandline;
ProcessInformation.PebBaseAddress->ProcessParameters->CommandLine.Buffer = commandline;
// print commandline and imagepathname
wprintf(L"ImagePathName is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->ImagePathName.Buffer);
wprintf(L"CommandLine is: %s\n", ProcessInformation.PebBaseAddress->ProcessParameters->CommandLine.Buffer);
system("PAUSE");
return 0;
}
When I run this on my Windows 7 machine I get the following output:
ImagePathName is: E:\zonealarm\pebmasquerade\Debug\pebmasquerade.exe
CommandLine is: "E:\zonealarm\pebmasquerade\Debug\pebmasquerade.exe"
ImagePathName is: C:\windows\system32\notepad.exe
CommandLine is: C:\windows\system32\notepad.exe
This looks good, but then in Process Explorer the CommandLine is C:\windows\system32\notepad.exe
but the path reads [The system cannot find the file specified.]
I haven't been able to figure out why and the ImagePathName is what actually matters for me.
Thanks!
Edit:
I checked in windbg and the fields are set as expected. So maybe Process Explorer reads something else to get the path?
0:001> dt _peb @$peb
ntdll!_PEB
...
+0x010 ProcessParameters : 0x00531fd8 _RTL_USER_PROCESS_PARAMETERS
...
0:001> dt _RTL_USER_PROCESS_PARAMETERS 0x00000000`00531fd8
ntdll!_RTL_USER_PROCESS_PARAMETERS
...
+0x038 ImagePathName : _UNICODE_STRING "C:\windows\system32\notepad.exe"
+0x040 CommandLine : _UNICODE_STRING "C:\windows\system32\notepad.exe"
...
User contributions licensed under CC BY-SA 3.0