├── LICENSE.md ├── NtCreateUserProcess.sln ├── NtCreateUserProcess.vcxproj ├── NtCreateUserProcess.vcxproj.user ├── README.md ├── imports.h └── main.cpp /LICENSE.md: -------------------------------------------------------------------------------- 1 | 2 | Open Software License ("OSL") v. 3.0 3 | 4 | This Open Software License (the "License") applies to any original work of 5 | authorship (the "Original Work") whose owner (the "Licensor") has placed the 6 | following licensing notice adjacent to the copyright notice for the Original 7 | Work: 8 | 9 | Licensed under the Open Software License version 3.0 10 | 11 | 1) Grant of Copyright License. Licensor grants You a worldwide, royalty-free, 12 | non-exclusive, sublicensable license, for the duration of the copyright, to do 13 | the following: 14 | 15 | a) to reproduce the Original Work in copies, either alone or as part of a 16 | collective work; 17 | 18 | b) to translate, adapt, alter, transform, modify, or arrange the Original 19 | Work, thereby creating derivative works ("Derivative Works") based upon the 20 | Original Work; 21 | 22 | c) to distribute or communicate copies of the Original Work and Derivative 23 | Works to the public, with the proviso that copies of Original Work or 24 | Derivative Works that You distribute or communicate shall be licensed under 25 | this Open Software License; 26 | 27 | d) to perform the Original Work publicly; and 28 | 29 | e) to display the Original Work publicly. 30 | 31 | 2) Grant of Patent License. Licensor grants You a worldwide, royalty-free, 32 | non-exclusive, sublicensable license, under patent claims owned or controlled 33 | by the Licensor that are embodied in the Original Work as furnished by the 34 | Licensor, for the duration of the patents, to make, use, sell, offer for sale, 35 | have made, and import the Original Work and Derivative Works. 36 | 37 | 3) Grant of Source Code License. The term "Source Code" means the preferred 38 | form of the Original Work for making modifications to it and all available 39 | documentation describing how to modify the Original Work. Licensor agrees to 40 | provide a machine-readable copy of the Source Code of the Original Work along 41 | with each copy of the Original Work that Licensor distributes. Licensor 42 | reserves the right to satisfy this obligation by placing a machine-readable 43 | copy of the Source Code in an information repository reasonably calculated to 44 | permit inexpensive and convenient access by You for as long as Licensor 45 | continues to distribute the Original Work. 46 | 47 | 4) Exclusions From License Grant. Neither the names of Licensor, nor the names 48 | of any contributors to the Original Work, nor any of their trademarks or 49 | service marks, may be used to endorse or promote products derived from this 50 | Original Work without express prior permission of the Licensor. Except as 51 | expressly stated herein, nothing in this License grants any license to 52 | Licensor's trademarks, copyrights, patents, trade secrets or any other 53 | intellectual property. No patent license is granted to make, use, sell, offer 54 | for sale, have made, or import embodiments of any patent claims other than the 55 | licensed claims defined in Section 2. No license is granted to the trademarks 56 | of Licensor even if such marks are included in the Original Work. Nothing in 57 | this License shall be interpreted to prohibit Licensor from licensing under 58 | terms different from this License any Original Work that Licensor otherwise 59 | would have a right to license. 60 | 61 | 5) External Deployment. The term "External Deployment" means the use, 62 | distribution, or communication of the Original Work or Derivative Works in any 63 | way such that the Original Work or Derivative Works may be used by anyone 64 | other than You, whether those works are distributed or communicated to those 65 | persons or made available as an application intended for use over a network. 66 | As an express condition for the grants of license hereunder, You must treat 67 | any External Deployment by You of the Original Work or a Derivative Work as a 68 | distribution under section 1(c). 69 | 70 | 6) Attribution Rights. You must retain, in the Source Code of any Derivative 71 | Works that You create, all copyright, patent, or trademark notices from the 72 | Source Code of the Original Work, as well as any notices of licensing and any 73 | descriptive text identified therein as an "Attribution Notice." You must cause 74 | the Source Code for any Derivative Works that You create to carry a prominent 75 | Attribution Notice reasonably calculated to inform recipients that You have 76 | modified the Original Work. 77 | 78 | 7) Warranty of Provenance and Disclaimer of Warranty. Licensor warrants that 79 | the copyright in and to the Original Work and the patent rights granted herein 80 | by Licensor are owned by the Licensor or are sublicensed to You under the 81 | terms of this License with the permission of the contributor(s) of those 82 | copyrights and patent rights. Except as expressly stated in the immediately 83 | preceding sentence, the Original Work is provided under this License on an "AS 84 | IS" BASIS and WITHOUT WARRANTY, either express or implied, including, without 85 | limitation, the warranties of non-infringement, merchantability or fitness for 86 | a particular purpose. THE ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL WORK 87 | IS WITH YOU. This DISCLAIMER OF WARRANTY constitutes an essential part of this 88 | License. No license to the Original Work is granted by this License except 89 | under this disclaimer. 90 | 91 | 8) Limitation of Liability. Under no circumstances and under no legal theory, 92 | whether in tort (including negligence), contract, or otherwise, shall the 93 | Licensor be liable to anyone for any indirect, special, incidental, or 94 | consequential damages of any character arising as a result of this License or 95 | the use of the Original Work including, without limitation, damages for loss 96 | of goodwill, work stoppage, computer failure or malfunction, or any and all 97 | other commercial damages or losses. This limitation of liability shall not 98 | apply to the extent applicable law prohibits such limitation. 99 | 100 | 9) Acceptance and Termination. If, at any time, You expressly assented to this 101 | License, that assent indicates your clear and irrevocable acceptance of this 102 | License and all of its terms and conditions. If You distribute or communicate 103 | copies of the Original Work or a Derivative Work, You must make a reasonable 104 | effort under the circumstances to obtain the express assent of recipients to 105 | the terms of this License. This License conditions your rights to undertake 106 | the activities listed in Section 1, including your right to create Derivative 107 | Works based upon the Original Work, and doing so without honoring these terms 108 | and conditions is prohibited by copyright law and international treaty. 109 | Nothing in this License is intended to affect copyright exceptions and 110 | limitations (including "fair use" or "fair dealing"). This License shall 111 | terminate immediately and You may no longer exercise any of the rights granted 112 | to You by this License upon your failure to honor the conditions in Section 113 | 1(c). 114 | 115 | 10) Termination for Patent Action. This License shall terminate automatically 116 | and You may no longer exercise any of the rights granted to You by this 117 | License as of the date You commence an action, including a cross-claim or 118 | counterclaim, against Licensor or any licensee alleging that the Original Work 119 | infringes a patent. This termination provision shall not apply for an action 120 | alleging patent infringement by combinations of the Original Work with other 121 | software or hardware. 122 | 123 | 11) Jurisdiction, Venue and Governing Law. Any action or suit relating to this 124 | License may be brought only in the courts of a jurisdiction wherein the 125 | Licensor resides or in which Licensor conducts its primary business, and under 126 | the laws of that jurisdiction excluding its conflict-of-law provisions. The 127 | application of the United Nations Convention on Contracts for the 128 | International Sale of Goods is expressly excluded. Any use of the Original 129 | Work outside the scope of this License or after its termination shall be 130 | subject to the requirements and penalties of copyright or patent law in the 131 | appropriate jurisdiction. This section shall survive the termination of this 132 | License. 133 | 134 | 12) Attorneys' Fees. In any action to enforce the terms of this License or 135 | seeking damages relating thereto, the prevailing party shall be entitled to 136 | recover its costs and expenses, including, without limitation, reasonable 137 | attorneys' fees and costs incurred in connection with such action, including 138 | any appeal of such action. This section shall survive the termination of this 139 | License. 140 | 141 | 13) Miscellaneous. If any provision of this License is held to be 142 | unenforceable, such provision shall be reformed only to the extent necessary 143 | to make it enforceable. 144 | 145 | 14) Definition of "You" in This License. "You" throughout this License, 146 | whether in upper or lower case, means an individual or a legal entity 147 | exercising rights under, and complying with all of the terms of, this License. 148 | For legal entities, "You" includes any entity that controls, is controlled by, 149 | or is under common control with you. For purposes of this definition, 150 | "control" means (i) the power, direct or indirect, to cause the direction or 151 | management of such entity, whether by contract or otherwise, or (ii) ownership 152 | of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial 153 | ownership of such entity. 154 | 155 | 15) Right to Use. You may use the Original Work in all ways not otherwise 156 | restricted or conditioned by this License or by law, and Licensor promises not 157 | to interfere with or be responsible for such uses by You. 158 | 159 | 16) Modification of This License. This License is Copyright © 2005 Lawrence 160 | Rosen. Permission is granted to copy, distribute, or communicate this License 161 | without modification. Nothing in this License permits You to modify this 162 | License as applied to the Original Work or to Derivative Works. However, You 163 | may modify the text of this License and copy, distribute or communicate your 164 | modified version (the "Modified License") and apply it to other original works 165 | of authorship subject to the following conditions: (i) You may not indicate in 166 | any way that your Modified License is the "Open Software License" or "OSL" and 167 | you may not use those names in the name of your Modified License; (ii) You 168 | must replace the notice specified in the first paragraph above with the notice 169 | "Licensed under " or with a notice of your own 170 | that is not confusingly similar to the notice in this License; and (iii) You 171 | may not claim that your original works are open source software unless your 172 | Modified License has been approved by Open Source Initiative (OSI) and You 173 | comply with its license review and certification process. 174 | -------------------------------------------------------------------------------- /NtCreateUserProcess.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.3.32804.467 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{215A538B-D672-4D22-B66E-47FC7CB2AD3B}") = "NtCreateUserProcess", "NtCreateUserProcess.vcxproj", "{EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Debug|x64.ActiveCfg = Debug|x64 17 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Debug|x64.Build.0 = Debug|x64 18 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Debug|x86.ActiveCfg = Debug|Win32 19 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Debug|x86.Build.0 = Debug|Win32 20 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Release|x64.ActiveCfg = Release|x64 21 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Release|x64.Build.0 = Release|x64 22 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Release|x86.ActiveCfg = Release|Win32 23 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {07026D92-4406-416E-9DE1-D02124EAA3FB} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /NtCreateUserProcess.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {EF4C6CCD-AF36-4EDE-9D7F-642B1C2CBFD3} 25 | NtCreateUserProcess 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | true 85 | 86 | 87 | 88 | TurnOffAllWarnings 89 | true 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | true 92 | 93 | 94 | Console 95 | true 96 | %(AdditionalLibraryDirectories) 97 | 98 | 99 | 100 | 101 | Level3 102 | true 103 | true 104 | true 105 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | true 112 | true 113 | %(AdditionalLibraryDirectories) 114 | 115 | 116 | 117 | 118 | TurnOffAllWarnings 119 | true 120 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 121 | true 122 | 123 | 124 | Console 125 | true 126 | 127 | 128 | 129 | 130 | Level3 131 | true 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | 137 | 138 | Console 139 | true 140 | true 141 | true 142 | $(IntDir)$(TargetName)$(TargetExt).intermediate.manifest 143 | AsInvoker 144 | (AdditionalLibraryDirectories) 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | -------------------------------------------------------------------------------- /NtCreateUserProcess.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # What is this? 2 | 3 | This is a small PoC (Proof of concept) that invokes `NtCreateUserProcess` to spawn a Command prompt. 4 | This also showcases PPID* (Parent Process ID) spoofing, where the parent is not the creator. 5 | 6 | \* You must have a valid handle to the parent process. 7 | ## What is NtCreateUserProcess? 8 | `NtCreateUserProcess` is lowest level API that spawns processes. Every WINAPI calls this. 9 | 10 | Call chain from APIs to NtCreateUserProcess 11 | 12 | * kernel32.dll!CreateProcess 13 | * * CreateProcessInternalW 14 | * * * ntdll.dll!NtCreateUserProcess 15 |
16 | 17 | * ntdll.dll!RtlCreateUserProcessEx 18 | * * RtlpCreateUserProcess 19 | * * * ntdll.dll!NtCreateUserProcess 20 | 21 | ## Requirements 22 | ``` 23 | Visual Studio 24 | x86 or x64 machine (ARM or ARM64 is not tested) 25 | ``` 26 | 27 | ### Remarks 28 | This API function is very buggy on Windows 10, that's where most other PoCs fail. Especially when the executable is Win32 (x86). 29 | 30 | 31 | [License](https://github.com/BlackOfWorld/NtCreateUserProcess/LICENSE.md) 32 | 33 | Please consider checking out my library [Windows-Native](https://github.com/BlackOfWorld/Windows-Native) 34 | -------------------------------------------------------------------------------- /imports.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #pragma comment( lib, "ntdll" ) 3 | #include 4 | #ifdef __cplusplus 5 | extern "C" 6 | { 7 | #endif 8 | typedef enum _PS_ATTRIBUTE_NUM 9 | { 10 | PsAttributeParentProcess, // in HANDLE 11 | PsAttributeDebugObject, // in HANDLE 12 | PsAttributeToken, // in HANDLE 13 | PsAttributeClientId, // out PCLIENT_ID 14 | PsAttributeTebAddress, // out PTEB * 15 | PsAttributeImageName, // in PWSTR 16 | PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION 17 | PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE 18 | PsAttributePriorityClass, // in UCHAR 19 | PsAttributeErrorMode, // in ULONG 20 | PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO 21 | PsAttributeHandleList, // in HANDLE[] 22 | PsAttributeGroupAffinity, // in PGROUP_AFFINITY 23 | PsAttributePreferredNode, // in PUSHORT 24 | PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER 25 | PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES 26 | PsAttributeMitigationOptions, // in PPS_MITIGATION_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_POLICY_*) // since WIN8 27 | PsAttributeProtectionLevel, // in PS_PROTECTION // since WINBLUE 28 | PsAttributeSecureProcess, // in PPS_TRUSTLET_CREATE_ATTRIBUTES, since THRESHOLD 29 | PsAttributeJobList, // in HANDLE[] 30 | PsAttributeChildProcessPolicy, // 20, in PULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 31 | PsAttributeAllApplicationPackagesPolicy, // in PULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE 32 | PsAttributeWin32kFilter, // in PWIN32K_SYSCALL_FILTER 33 | PsAttributeSafeOpenPromptOriginClaim, // in 34 | PsAttributeBnoIsolation, // in PPS_BNO_ISOLATION_PARAMETERS // since REDSTONE2 35 | PsAttributeDesktopAppPolicy, // in PULONG (PROCESS_CREATION_DESKTOP_APP_*) 36 | PsAttributeChpe, // in BOOLEAN // since REDSTONE3 37 | PsAttributeMitigationAuditOptions, // in PPS_MITIGATION_AUDIT_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_AUDIT_POLICY_*) // since 21H1 38 | PsAttributeMachineType, // in WORD // since 21H2 39 | PsAttributeComponentFilter, 40 | PsAttributeEnableOptionalXStateFeatures, // since WIN11 41 | PsAttributeMax 42 | } PS_ATTRIBUTE_NUM; 43 | 44 | #define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01 45 | #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff 46 | #define PS_ATTRIBUTE_THREAD 0x00010000 // Attribute may be used with thread creation 47 | #define PS_ATTRIBUTE_INPUT 0x00020000 // Attribute is input only 48 | #define PS_ATTRIBUTE_ADDITIVE 0x00040000 // Attribute may be "accumulated", e.g. bitmasks, counters, etc. 49 | 50 | #define PsAttributeValue(Number, Thread, Input, Additive) \ 51 | (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ 52 | ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ 53 | ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ 54 | ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) 55 | 56 | #define PS_ATTRIBUTE_PARENT_PROCESS \ 57 | PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) // 0x60000 58 | #define PS_ATTRIBUTE_DEBUG_OBJECT \ 59 | PsAttributeValue(PsAttributeDebugObject, FALSE, TRUE, TRUE) // 0x60001 60 | #define PS_ATTRIBUTE_TOKEN \ 61 | PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) // 0x60002 62 | #define PS_ATTRIBUTE_CLIENT_ID \ 63 | PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) // 0x10003 64 | #define PS_ATTRIBUTE_TEB_ADDRESS \ 65 | PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) // 0x10004 66 | #define PS_ATTRIBUTE_IMAGE_NAME \ 67 | PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) // 0x20005 68 | #define PS_ATTRIBUTE_IMAGE_INFO \ 69 | PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) // 0x6 70 | #define PS_ATTRIBUTE_MEMORY_RESERVE \ 71 | PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) // 0x20007 72 | #define PS_ATTRIBUTE_PRIORITY_CLASS \ 73 | PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) // 0x20008 74 | #define PS_ATTRIBUTE_ERROR_MODE \ 75 | PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) // 0x20009 76 | #define PS_ATTRIBUTE_STD_HANDLE_INFO \ 77 | PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) // 0x2000A 78 | #define PS_ATTRIBUTE_HANDLE_LIST \ 79 | PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) // 0x2000B 80 | #define PS_ATTRIBUTE_GROUP_AFFINITY \ 81 | PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) // 0x2000C 82 | #define PS_ATTRIBUTE_PREFERRED_NODE \ 83 | PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) // 0x2000D 84 | #define PS_ATTRIBUTE_IDEAL_PROCESSOR \ 85 | PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) // 0x2000E 86 | #define PS_ATTRIBUTE_MITIGATION_OPTIONS \ 87 | PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, FALSE) // 0x60010 88 | #define PS_ATTRIBUTE_PROTECTION_LEVEL \ 89 | PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, FALSE) // 0x20011 90 | #define PS_ATTRIBUTE_SECURE_PROCESS \ 91 | PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE) // 0x20012 92 | #define PS_ATTRIBUTE_JOB_LIST \ 93 | PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE) // 0x20013 94 | #define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \ 95 | PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE) // 0x20014 96 | #define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \ 97 | PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE) // 0x20015 98 | #define PS_ATTRIBUTE_WIN32K_FILTER \ 99 | PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE) // 0x20016 100 | #define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \ 101 | PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE) // 0x20017 102 | #define PS_ATTRIBUTE_BNO_ISOLATION \ 103 | PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE) // 0x20018 104 | #define PS_ATTRIBUTE_DESKTOP_APP_POLICY \ 105 | PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE) // 0x20019 106 | #define PS_ATTRIBUTE_CHPE \ 107 | PsAttributeValue(PsAttributeChpe, FALSE, TRUE, TRUE) // 0x6001A 108 | #define PS_ATTRIBUTE_MITIGATION_AUDIT_OPTIONS \ 109 | PsAttributeValue(PsAttributeMitigationAuditOptions, FALSE, TRUE, FALSE) // 0x2001B 110 | #define PS_ATTRIBUTE_MACHINE_TYPE \ 111 | PsAttributeValue(PsAttributeMachineType, FALSE, TRUE, TRUE) // 0x6001C 112 | #define PS_ATTRIBUTE_COMPONENT_FILTER \ 113 | PsAttributeValue(PsAttributeComponentFilter, FALSE, TRUE, FALSE) // 0x2001D 114 | #define PS_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES \ 115 | PsAttributeValue(PsAttributeEnableOptionalXStateFeatures, TRUE, TRUE, FALSE) // 0x3001E 116 | 117 | typedef struct _PS_ATTRIBUTE 118 | { 119 | ULONG_PTR Attribute; // PROC_THREAD_ATTRIBUTE_XXX | PROC_THREAD_ATTRIBUTE_XXX modifiers, see ProcThreadAttributeValue macro and Windows Internals 6 (372) 120 | SIZE_T Size; // Size of Value or *ValuePtr 121 | union 122 | { 123 | ULONG_PTR Value; // Reserve 8 bytes for data (such as a Handle or a data pointer) 124 | PVOID ValuePtr; // data pointer 125 | }; 126 | PSIZE_T ReturnLength; // Either 0 or specifies size of data returned to caller via "ValuePtr" 127 | } PS_ATTRIBUTE, * PPS_ATTRIBUTE; 128 | 129 | typedef enum _PS_IFEO_KEY_STATE 130 | { 131 | PsReadIFEOAllValues, 132 | PsSkipIFEODebugger, 133 | PsSkipAllIFEO, 134 | PsMaxIFEOKeyStates 135 | } PS_IFEO_KEY_STATE, * PPS_IFEO_KEY_STATE; 136 | 137 | typedef enum _PS_CREATE_STATE 138 | { 139 | PsCreateInitialState, 140 | PsCreateFailOnFileOpen, 141 | PsCreateFailOnSectionCreate, 142 | PsCreateFailExeFormat, 143 | PsCreateFailMachineMismatch, 144 | PsCreateFailExeName, // Debugger specified 145 | PsCreateSuccess, 146 | PsCreateMaximumStates 147 | } PS_CREATE_STATE; 148 | 149 | typedef struct _PS_CREATE_INFO 150 | { 151 | SIZE_T Size; 152 | PS_CREATE_STATE State; 153 | union 154 | { 155 | // PsCreateInitialState 156 | struct 157 | { 158 | union 159 | { 160 | ULONG InitFlags; 161 | struct 162 | { 163 | UCHAR WriteOutputOnExit : 1; 164 | UCHAR DetectManifest : 1; 165 | UCHAR IFEOSkipDebugger : 1; 166 | UCHAR IFEODoNotPropagateKeyState : 1; 167 | UCHAR SpareBits1 : 4; 168 | UCHAR SpareBits2 : 8; 169 | USHORT ProhibitedImageCharacteristics : 16; 170 | } s1; 171 | } u1; 172 | ACCESS_MASK AdditionalFileAccess; 173 | } InitState; 174 | 175 | // PsCreateFailOnSectionCreate 176 | struct 177 | { 178 | HANDLE FileHandle; 179 | } FailSection; 180 | 181 | // PsCreateFailExeFormat 182 | struct 183 | { 184 | USHORT DllCharacteristics; 185 | } ExeFormat; 186 | 187 | // PsCreateFailExeName 188 | struct 189 | { 190 | HANDLE IFEOKey; 191 | } ExeName; 192 | 193 | // PsCreateSuccess 194 | struct 195 | { 196 | union 197 | { 198 | ULONG OutputFlags; 199 | struct 200 | { 201 | UCHAR ProtectedProcess : 1; 202 | UCHAR AddressSpaceOverride : 1; 203 | UCHAR DevOverrideEnabled : 1; // From Image File Execution Options 204 | UCHAR ManifestDetected : 1; 205 | UCHAR ProtectedProcessLight : 1; 206 | UCHAR SpareBits1 : 3; 207 | UCHAR SpareBits2 : 8; 208 | USHORT SpareBits3 : 16; 209 | } s2; 210 | } u2; 211 | HANDLE FileHandle; 212 | HANDLE SectionHandle; 213 | ULONGLONG UserProcessParametersNative; 214 | ULONG UserProcessParametersWow64; 215 | ULONG CurrentParameterFlags; 216 | ULONGLONG PebAddressNative; 217 | ULONG PebAddressWow64; 218 | ULONGLONG ManifestAddress; 219 | ULONG ManifestSize; 220 | } SuccessState; 221 | }; 222 | } PS_CREATE_INFO, * PPS_CREATE_INFO; 223 | typedef struct _UNICODE_STRING 224 | { 225 | USHORT Length; 226 | USHORT MaximumLength; 227 | PWSTR Buffer; 228 | } UNICODE_STRING, * PUNICODE_STRING; 229 | typedef const UNICODE_STRING* PCUNICODE_STRING; 230 | typedef struct _PS_ATTRIBUTE_LIST 231 | { 232 | SIZE_T TotalLength; // sizeof(PS_ATTRIBUTE_LIST) 233 | PS_ATTRIBUTE Attributes[6]; // Depends on how many attribute entries should be supplied to NtCreateUserProcess 234 | } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; 235 | typedef struct _CURDIR 236 | { 237 | UNICODE_STRING DosPath; 238 | HANDLE Handle; 239 | } CURDIR, * PCURDIR; 240 | typedef struct _RTL_DRIVE_LETTER_CURDIR 241 | { 242 | USHORT Flags; 243 | USHORT Length; 244 | ULONG TimeStamp; 245 | UNICODE_STRING DosPath; 246 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 247 | 248 | #define RTL_MAX_DRIVE_LETTERS 32 249 | typedef struct _RTL_USER_PROCESS_PARAMETERS 250 | { 251 | ULONG MaximumLength; 252 | ULONG Length; 253 | 254 | ULONG Flags; 255 | ULONG DebugFlags; 256 | 257 | HANDLE ConsoleHandle; 258 | ULONG ConsoleFlags; 259 | HANDLE StandardInput; 260 | HANDLE StandardOutput; 261 | HANDLE StandardError; 262 | 263 | CURDIR CurrentDirectory; 264 | UNICODE_STRING DllPath; 265 | UNICODE_STRING ImagePathName; 266 | UNICODE_STRING CommandLine; 267 | PWCHAR Environment; 268 | 269 | ULONG StartingX; 270 | ULONG StartingY; 271 | ULONG CountX; 272 | ULONG CountY; 273 | ULONG CountCharsX; 274 | ULONG CountCharsY; 275 | ULONG FillAttribute; 276 | 277 | ULONG WindowFlags; 278 | ULONG ShowWindowFlags; 279 | UNICODE_STRING WindowTitle; 280 | UNICODE_STRING DesktopInfo; 281 | UNICODE_STRING ShellInfo; 282 | UNICODE_STRING RuntimeData; 283 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 284 | 285 | ULONG_PTR EnvironmentSize; 286 | ULONG_PTR EnvironmentVersion; 287 | PVOID PackageDependencyData; 288 | ULONG ProcessGroupId; 289 | ULONG LoaderThreads; 290 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 291 | typedef struct _OBJECT_ATTRIBUTES 292 | { 293 | ULONG Length; 294 | HANDLE RootDirectory; 295 | PUNICODE_STRING ObjectName; 296 | ULONG Attributes; 297 | PVOID SecurityDescriptor; 298 | PVOID SecurityQualityOfService; 299 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 300 | NTSYSAPI 301 | NTSTATUS 302 | NTAPI 303 | RtlDestroyProcessParameters(PRTL_USER_PROCESS_PARAMETERS ProcessParameters); 304 | 305 | NTSYSAPI 306 | BOOLEAN 307 | NTAPI 308 | RtlFreeHeap(PVOID HeapHandle, ULONG Flags, PVOID BaseAddress); 309 | 310 | NTSYSAPI 311 | VOID 312 | NTAPI 313 | RtlInitUnicodeString(PUNICODE_STRING DestinationString, PWSTR SourceString); 314 | NTSYSAPI 315 | NTSTATUS 316 | NTAPI 317 | RtlCreateProcessParametersEx( 318 | PRTL_USER_PROCESS_PARAMETERS* pProcessParameters, 319 | PUNICODE_STRING ImagePathName, 320 | PUNICODE_STRING DllPath, 321 | PUNICODE_STRING CurrentDirectory, 322 | PUNICODE_STRING CommandLine, 323 | PVOID Environment, 324 | PUNICODE_STRING WindowTitle, 325 | PUNICODE_STRING DesktopInfo, 326 | PUNICODE_STRING ShellInfo, 327 | PUNICODE_STRING RuntimeData, 328 | ULONG Flags 329 | ); 330 | NTSYSCALLAPI 331 | NTSTATUS 332 | NTAPI 333 | NtCreateUserProcess( 334 | _Out_ PHANDLE ProcessHandle, 335 | _Out_ PHANDLE ThreadHandle, 336 | _In_ ACCESS_MASK ProcessDesiredAccess, 337 | _In_ ACCESS_MASK ThreadDesiredAccess, 338 | _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes, 339 | _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes, 340 | _In_ ULONG ProcessFlags, 341 | _In_ ULONG ThreadFlags, 342 | _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, 343 | _Inout_ PPS_CREATE_INFO CreateInfo, 344 | _In_ PPS_ATTRIBUTE_LIST AttributeList 345 | ); 346 | 347 | NTSYSAPI 348 | PVOID 349 | NTAPI 350 | RtlAllocateHeap( 351 | _In_ PVOID HeapHandle, 352 | _In_opt_ ULONG Flags, 353 | _In_ SIZE_T Size 354 | ); 355 | 356 | typedef struct _PS_STD_HANDLE_INFO 357 | { 358 | union 359 | { 360 | ULONG Flags; 361 | struct 362 | { 363 | ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE 364 | ULONG PseudoHandleMask : 3; // PS_STD_* 365 | } s; 366 | }; 367 | ULONG StdHandleSubsystemType; 368 | } PS_STD_HANDLE_INFO, * PPS_STD_HANDLE_INFO; 369 | typedef struct _CLIENT_ID 370 | { 371 | HANDLE UniqueProcess; 372 | HANDLE UniqueThread; 373 | } CLIENT_ID, * PCLIENT_ID; 374 | 375 | typedef struct _SECTION_IMAGE_INFORMATION 376 | { 377 | PVOID TransferAddress; // Entry point 378 | ULONG ZeroBits; 379 | SIZE_T MaximumStackSize; 380 | SIZE_T CommittedStackSize; 381 | ULONG SubSystemType; 382 | union 383 | { 384 | struct 385 | { 386 | USHORT SubSystemMinorVersion; 387 | USHORT SubSystemMajorVersion; 388 | } s1; 389 | ULONG SubSystemVersion; 390 | } u1; 391 | union 392 | { 393 | struct 394 | { 395 | USHORT MajorOperatingSystemVersion; 396 | USHORT MinorOperatingSystemVersion; 397 | } s2; 398 | ULONG OperatingSystemVersion; 399 | } u2; 400 | USHORT ImageCharacteristics; 401 | USHORT DllCharacteristics; 402 | USHORT Machine; 403 | BOOLEAN ImageContainsCode; 404 | union 405 | { 406 | UCHAR ImageFlags; 407 | struct 408 | { 409 | UCHAR ComPlusNativeReady : 1; 410 | UCHAR ComPlusILOnly : 1; 411 | UCHAR ImageDynamicallyRelocated : 1; 412 | UCHAR ImageMappedFlat : 1; 413 | UCHAR BaseBelow4gb : 1; 414 | UCHAR ComPlusPrefer32bit : 1; 415 | UCHAR Reserved : 2; 416 | } s3; 417 | } u3; 418 | ULONG LoaderFlags; 419 | ULONG ImageFileSize; 420 | ULONG CheckSum; 421 | } SECTION_IMAGE_INFORMATION, * PSECTION_IMAGE_INFORMATION; 422 | typedef struct _PEB_LDR_DATA 423 | { 424 | ULONG Length; 425 | BOOLEAN Initialized; 426 | HANDLE SsHandle; 427 | LIST_ENTRY InLoadOrderModuleList; 428 | LIST_ENTRY InMemoryOrderModuleList; 429 | LIST_ENTRY InInitializationOrderModuleList; 430 | PVOID EntryInProgress; 431 | BOOLEAN ShutdownInProgress; 432 | HANDLE ShutdownThreadId; 433 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 434 | typedef struct _PEB 435 | { 436 | BOOLEAN InheritedAddressSpace; 437 | BOOLEAN ReadImageFileExecOptions; 438 | BOOLEAN BeingDebugged; 439 | union 440 | { 441 | BOOLEAN BitField; 442 | struct 443 | { 444 | BOOLEAN ImageUsesLargePages : 1; 445 | BOOLEAN IsProtectedProcess : 1; 446 | BOOLEAN IsImageDynamicallyRelocated : 1; 447 | BOOLEAN SkipPatchingUser32Forwarders : 1; 448 | BOOLEAN IsPackagedProcess : 1; 449 | BOOLEAN IsAppContainer : 1; 450 | BOOLEAN IsProtectedProcessLight : 1; 451 | BOOLEAN IsLongPathAwareProcess : 1; 452 | } s1; 453 | } u1; 454 | 455 | HANDLE Mutant; 456 | 457 | PVOID ImageBaseAddress; 458 | PPEB_LDR_DATA Ldr; 459 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 460 | PVOID SubSystemData; 461 | PVOID ProcessHeap; 462 | } PEB, * PPEB; 463 | 464 | typedef struct _TEB 465 | { 466 | NT_TIB NtTib; 467 | 468 | PVOID EnvironmentPointer; 469 | CLIENT_ID ClientId; 470 | PVOID ActiveRpcHandle; 471 | PVOID ThreadLocalStoragePointer; 472 | PPEB ProcessEnvironmentBlock; 473 | } TEB, * PTEB; 474 | 475 | #define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock) 476 | #define RtlProcessHeap() (NtCurrentPeb()->ProcessHeap) 477 | #ifdef __cplusplus 478 | } 479 | #endif -------------------------------------------------------------------------------- /main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "imports.h" 4 | int main() 5 | { 6 | // Path to the image file from which the process will be created 7 | UNICODE_STRING NtImagePath, Params, ImagePath; 8 | RtlInitUnicodeString(&ImagePath, (PWSTR)L"C:\\Windows\\System32\\cmd.exe"); 9 | 10 | RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\\??\\C:\\Windows\\System32\\cmd.exe"); 11 | RtlInitUnicodeString(&Params, (PWSTR)L"\"C:\\WINDOWS\\SYSTEM32\\cmd.exe\" /k echo Hello world!"); 12 | // Create the process parameters 13 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL; 14 | RtlCreateProcessParametersEx(&ProcessParameters, &ImagePath, NULL, NULL, &Params, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED); 15 | 16 | // Initialize the PS_CREATE_INFO structure 17 | PS_CREATE_INFO CreateInfo = { 0 }; 18 | CreateInfo.Size = sizeof(CreateInfo); 19 | CreateInfo.State = PsCreateInitialState; 20 | 21 | //Skip Image File Execution Options debugger 22 | CreateInfo.InitState.u1.InitFlags = PsSkipIFEODebugger; 23 | 24 | OBJECT_ATTRIBUTES objAttr = { sizeof(OBJECT_ATTRIBUTES)}; 25 | PPS_STD_HANDLE_INFO stdHandleInfo = (PPS_STD_HANDLE_INFO)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_STD_HANDLE_INFO)); 26 | PCLIENT_ID clientId = (PCLIENT_ID)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_ATTRIBUTE)); 27 | PSECTION_IMAGE_INFORMATION SecImgInfo = (PSECTION_IMAGE_INFORMATION)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECTION_IMAGE_INFORMATION)); 28 | PPS_ATTRIBUTE_LIST AttributeList = (PS_ATTRIBUTE_LIST*)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_ATTRIBUTE_LIST)); 29 | 30 | // Create necessary attributes 31 | AttributeList->TotalLength = sizeof(PS_ATTRIBUTE_LIST); 32 | AttributeList->Attributes[0].Attribute = PS_ATTRIBUTE_CLIENT_ID; 33 | AttributeList->Attributes[0].Size = sizeof(CLIENT_ID); 34 | AttributeList->Attributes[0].ValuePtr = clientId; 35 | 36 | AttributeList->Attributes[1].Attribute = PS_ATTRIBUTE_IMAGE_INFO; 37 | AttributeList->Attributes[1].Size = sizeof(SECTION_IMAGE_INFORMATION); 38 | AttributeList->Attributes[1].ValuePtr = SecImgInfo; 39 | 40 | AttributeList->Attributes[2].Attribute = PS_ATTRIBUTE_IMAGE_NAME; 41 | AttributeList->Attributes[2].Size = NtImagePath.Length; 42 | AttributeList->Attributes[2].ValuePtr = NtImagePath.Buffer; 43 | 44 | AttributeList->Attributes[3].Attribute = PS_ATTRIBUTE_STD_HANDLE_INFO; 45 | AttributeList->Attributes[3].Size = sizeof(PS_STD_HANDLE_INFO); 46 | AttributeList->Attributes[3].ValuePtr = stdHandleInfo; 47 | 48 | DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON; 49 | 50 | // Add process mitigation attribute 51 | AttributeList->Attributes[4].Attribute = PS_ATTRIBUTE_MITIGATION_OPTIONS; 52 | AttributeList->Attributes[4].Size = sizeof(DWORD64); 53 | AttributeList->Attributes[4].ValuePtr = &policy; 54 | 55 | // Spoof Parent Process Id as explorer.exe 56 | DWORD trayPID; 57 | HWND trayWnd = FindWindowW(L"Shell_TrayWnd", NULL); 58 | GetWindowThreadProcessId(trayWnd, &trayPID); 59 | HANDLE hParent = OpenProcess(PROCESS_ALL_ACCESS, false, trayPID); 60 | if (hParent) 61 | { 62 | AttributeList->Attributes[5].Attribute = PS_ATTRIBUTE_PARENT_PROCESS; 63 | AttributeList->Attributes[5].Size = sizeof(HANDLE); 64 | AttributeList->Attributes[5].ValuePtr = hParent; 65 | } 66 | else 67 | { 68 | AttributeList->TotalLength -= sizeof(PS_ATTRIBUTE); 69 | } 70 | // Create the process 71 | HANDLE hProcess = NULL, hThread = NULL; 72 | NtCreateUserProcess(&hProcess, &hThread, MAXIMUM_ALLOWED, MAXIMUM_ALLOWED, &objAttr, &objAttr, 0, 0, ProcessParameters, &CreateInfo, AttributeList); 73 | 74 | // Clean up 75 | if(hParent) CloseHandle(hParent); 76 | RtlFreeHeap(RtlProcessHeap(), 0, AttributeList); 77 | RtlFreeHeap(RtlProcessHeap(), 0, stdHandleInfo); 78 | RtlFreeHeap(RtlProcessHeap(), 0, clientId); 79 | RtlFreeHeap(RtlProcessHeap(), 0, SecImgInfo); 80 | RtlDestroyProcessParameters(ProcessParameters); 81 | } --------------------------------------------------------------------------------