PPID (Parent Process ID) spoofing is a technique used to make a newly created process appear as if it was spawned by a specified parent process, rather than the actual process creating it.
This Rust program uses the Windows API to perform PPID spoofing by leveraging InitializeProcThreadAttributeList and UpdateProcThreadAttribute to set a custom parent process handle for a new process.
- Admin Privileges: Required for enabling
SeDebugPrivilegeand accessing process handles.
-
Compile:
cargo build --release
-
Run:
cargo run --release -- <ppid> <commandline>
<ppid>: The Process ID of the desired parent process (e.g.,explorer.exe).<commandline>: The command to execute (e.g.,"notepad.exe"or"cmd.exe /c dir").
Example:
cargo run --release -- 1234 "notepad.exe" -
Find a PPID:
tasklist | findstr explorer -
Run as Administrator:
- The program prompts for elevation if not run as admin.
- Use an elevated Command Prompt or PowerShell.
- Elevation: Checks if running as admin; if not, relaunches with
runas. - SeDebugPrivilege: Enables debug privileges for process handle access.
- PPID Spoofing:
- Opens the target parent process using
OpenProcess. - Allocates and initializes a process attribute list with
InitializeProcThreadAttributeList. - Sets the parent process handle using
UpdateProcThreadAttribute. - Creates the new process with
CreateProcessW, spoofing the PPID.
- Opens the target parent process using
- Cleanup: Closes handles and frees memory.
Download this PoC: Download