stackoom
  简体   繁体   中英

Routing stdout of process with PPID Spoofing

 原文  2020-11-04 08:23:21       c++/ c/ windows/ winapi/ stdout

Question

I tried to write a code that uses CreateProcess() to execute CMD commands and will redirect the stdout to a named pipe. I wanted to add a functionality to spoof the Parent PID so that the cmd will spawn under explorer.exe. Each of the functionalities works on it's own but when I tried to merge them it will not work.

The stdout routing:

int main()
{
    HANDLE hStdout_Rd = NULL;
    HANDLE hStdout_Wr = NULL;
    SECURITY_ATTRIBUTES saAttr;
    saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
    saAttr.bInheritHandle = TRUE;
    saAttr.lpSecurityDescriptor = NULL;

    CreatePipe(&hStdout_Rd, &hStdout_Wr, &saAttr, NULL);
    SetHandleInformation(hStdout_Rd, HANDLE_FLAG_INHERIT, 0);

    //Set startup info
    STARTUPINFO si;
    ZeroMemory(&si, (sizeof(STARTUPINFO)));
    si.cb = sizeof(STARTUPINFO);
    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    si.hStdError = hStdout_Wr;
    si.hStdOutput = hStdout_Wr;
    si.wShowWindow = SW_HIDE;

    PROCESS_INFORMATION pi;
    ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
    CString cmd;
    if (CreateProcess(NULL, cmd.GetBuffer(), NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
    {
        //Great success read pipe contents
    }
    CloseHandle(hStdout_Rd);
    CloseHandle(hStdout_Wr);
}

The PPID Spoof: 

int main() {

    CString cmd;
    STARTUPINFOEXA sInfoEX;
    PROCESS_INFORMATION pInfo;
    SIZE_T sizeT;

    HANDLE expHandle = OpenProcess(PROCESS_ALL_ACCESS, false, getParentProcessID());

    ZeroMemory(&sInfoEX, sizeof(STARTUPINFOEXA));
    InitializeProcThreadAttributeList(NULL, 1, 0, &sizeT);
    sInfoEX.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT);
    InitializeProcThreadAttributeList(sInfoEX.lpAttributeList, 1, 0, &sizeT);
    UpdateProcThreadAttribute(sInfoEX.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &expHandle, sizeof(HANDLE), NULL, NULL);
    sInfoEX.StartupInfo.cb = sizeof(STARTUPINFOEXA);

    CreateProcessA(NULL, cmd.GetBuffer(), NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, reinterpret_cast<LPSTARTUPINFOA>(&sInfoEX), &pInfo);


    return 0;
}

All Together:

int main() {

    HANDLE hStdout_Rd = NULL;
    HANDLE hStdout_Wr = NULL;
    SECURITY_ATTRIBUTES saAttr;
    saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
    saAttr.bInheritHandle = TRUE;
    saAttr.lpSecurityDescriptor = NULL;
    CString cmd;
    STARTUPINFOEXA sInfoEX;
    PROCESS_INFORMATION pInfo;
    ZeroMemory(&pInfo, sizeof(PROCESS_INFORMATION));
    SIZE_T sizeT;

    HANDLE expHandle = OpenProcess(PROCESS_ALL_ACCESS, false, getParentProcessID());

    ZeroMemory(&sInfoEX, sizeof(STARTUPINFOEXA));
    sInfoEX.StartupInfo = sizeof(STARTUPINFO);
    sInfoEX.StartupInfo = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    sInfoEX.StartupInfo = hStdout_Wr;
    sInfoEX.StartupInfo = hStdout_Wr;
    sInfoEX.StartupInfo = SW_HIDE;
    InitializeProcThreadAttributeList(NULL, 1, 0, &sizeT);
    sInfoEX.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT);
    InitializeProcThreadAttributeList(sInfoEX.lpAttributeList, 1, 0, &sizeT);
    UpdateProcThreadAttribute(sInfoEX.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &expHandle, sizeof(HANDLE), NULL, NULL);
    sInfoEX.StartupInfo.cb = sizeof(STARTUPINFOEXA);

    if (CreateProcessA(NULL, cmd.GetBuffer(), NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, reinterpret_cast<LPSTARTUPINFOA>(&sInfoEX), &pInfo))
    {
        //Read pipe contents
    }
    return 0;
}

Is there anything I'm missing?

1 answers

solution1
 0  2020-11-05 06:23:27

Each of the functionalities works on it's own but when I tried to merge them it will not work.

An anonymous pipe is an unnamed, one-way pipe that typically transfers data between a parent process and a child process. To communicate using the pipe, the pipe server must pass a pipe handle to another process. Usually, this is done through inheritance ; that is, the process allows the handle to be inherited by a child process.

Since you change the child process's parent to explorer.exe. Initial parent-child relationship no longer exist. So the new process can't access the handle ( hStdout_Wr ) created in the old parent process. That's why it stops working.

To achieve your purpose:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Waiting for a process or stdout on Windows Capture spawned process stdout as unicode Disabling stdout buffering of a forked process redirect the stdout of a child process to the parent process stdin Capture stdout for a remote process' child process Get stdout of a shell command using boost process Ok to write to stdout on Unix process without terminal? Incomplete messages in pipe connected to stdout of child process launch an exe/process with stdin stdout and stderr? Read another process' stdout in C++
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM