Didier Stevens

Monday 20 March 2017

That Is Not My Child Process!

Filed under: Forensics,Hacking — Didier Stevens @ 0:00

Years ago I released a tool to create a Windows process with selected parent process: SelectMyParent.

You can not blindly trust parent-child process relations in Windows: the parent of a process can be different from the process that created that process.

Here I start selectmyparent from cmd.exe to launch notepad.exe with parent explorer.exe (PID 328):

Process Explorer reports explorer.exe as the parent (and not selectmyparent.exe):

Process Monitor also reports explorer.exe as the parent:

If we look in the call stack of the process creation of notepad.exe, we see 2 frames (6 and 7) with unknown modules:

We should see entries in the call stack for explorer.exe if notepad.exe was started by explorer.exe, but we don’t.

The <unknown> module is actually selectmyparent.exe.

0x11b1461 is the address of the instruction after the call to _main in ___tmainCRTStarup in selectmyparent.exe.

0x11b12a8 is the address of the instruction after the call to CreateProcessW in _main in selectmyparent.exe.

 

System Monitor also reports explorer.exe as the parent:

Finally, Volatility’s pstree command also reports explorer.exe as the parent:

5 Comments »

  1. What’s going on under the covers? Would you be able to rely on another sysmon event, like ProcessAccess or CreateRemoteThread? What are better ways to detect these types of shenanigans?

    Comment by Matt Giannetto — Tuesday 21 March 2017 @ 11:28

  2. I explained how it is done in my blog post of 2009, it’s the first link in this blog post:

    Quickpost: SelectMyParent or Playing With the Windows Process Tree

    Comment by Didier Stevens — Tuesday 21 March 2017 @ 19:04

  3. […] That Is Not My Child Process! […]

    Pingback by Overview of Content Published In March | Didier Stevens — Tuesday 4 April 2017 @ 0:00

  4. […] release of Cobalt Strike pushes back on this technique with the ppid command. The PPID command tasks Beacon to launch cmd.exe, […]

    Pingback by Cobalt Strike 3.8 – Who’s Your Daddy? | Strategic Cyber LLC — Tuesday 23 May 2017 @ 13:01

  5. […] Years ago I wrote a C program to create a new process with a chosen parent process: selectmyparent. And recently I showed what process monitor and system monitor report when you use this tool. […]

    Pingback by Select Parent Process from VBA | Didier Stevens — Monday 10 July 2017 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.