Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider Parent PID spoofing #11

Open
JohnLaTwC opened this issue Oct 5, 2020 · 5 comments
Open

Consider Parent PID spoofing #11

JohnLaTwC opened this issue Oct 5, 2020 · 5 comments

Comments

@JohnLaTwC
Copy link
Contributor

Raccine/raccine.cpp

Line 223 in b8ea99a

pid = getppid(pid);

You may want to check out this article on parent pid spoofing.
https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
@olliencc
Copy link
Contributor

is there any reasonable user land way to detect @JohnLaTwC ?

@olliencc
Copy link
Contributor

the only the way I can see to detect PPID spoofing is via ETW..

@Omodaka9375
Copy link
Contributor

Afaik, UAC will also spoof your parent process by using svchost service name.

@N3mes1s
Copy link

N3mes1s commented Oct 26, 2020

reference to what @olliencc and @Omodaka9375 said about parent pid spoofing: https://blog.f-secure.com/detecting-parent-pid-spoofing/

@Gulhanburcu
Copy link

Tüm işlemleri iptal etmek istiyorum

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@N3mes1s @olliencc @JohnLaTwC @Omodaka9375 @Gulhanburcu