Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions src/reversing/common-api-used-in-malware.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,39 @@ Find a thread from a process and make it load a malicious DLL
4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
5. Resume the thread loading the library: ResumeThread

### Process Parameter Poisoning (P³)

`CreateProcessW` can be abused as a **remote staging primitive** because Windows copies several attacker-controlled startup parameters into the child process before it starts executing. Instead of the classic `VirtualAllocEx` + `WriteProcessMemory` + `CreateRemoteThread` chain, the payload is smuggled inside normal process metadata and later reached through the target `PEB.ProcessParameters`.

Useful carriers copied into `RTL_USER_PROCESS_PARAMETERS`:
- `lpCommandLine``CommandLine.Buffer`
- `lpEnvironment``Environment`
- `STARTUPINFOW.lpReserved``ShellInfo.Buffer`

Typical workflow:

1. Create a child process with the payload embedded in `lpCommandLine`, `lpEnvironment`, or `STARTUPINFOW.lpReserved`.
2. Query `ProcessBasicInformation` with `NtQueryInformationProcess` to recover `PROCESS_BASIC_INFORMATION.PebBaseAddress`.
3. Read the remote `PEB`, then read `PEB.ProcessParameters` as `RTL_USER_PROCESS_PARAMETERS` to obtain the copied buffer address.
4. Change the protection of the staged bytes with `NtProtectVirtualMemory` / `VirtualProtectEx` (for example to `PAGE_EXECUTE_READ`).
5. Redirect the main thread to the staged buffer with `NtGetContextThread` + `NtSetContextThread` instead of creating a new remote thread.

Why it is interesting
- Avoids the most monitored injection chain: no `VirtualAllocEx`, no `WriteProcessMemory`, no `NtWriteVirtualMemory`, no `CreateRemoteThread`.
- The payload lands in memory Windows already created for legitimate startup state, so the only clearly malicious steps may be the later protection change and control-flow pivot.
- The same pattern can be combined with thread hijacking / early-bird style execution because the staging and execution primitives are independent.

Operational details
- `CreateProcessW` may **modify** the Unicode command-line buffer, so `lpCommandLine` must point to writable memory.
- `lpEnvironment` must respect the wide-char `NAME=VALUE\0...\0\0` layout; operators often prepend a fake variable such as `L"A="` and large padding before the shellcode.
- Because these transports are **string-like and null-terminated**, a first stage often needs **null-free shellcode** that later allocates/copies a second stage containing arbitrary bytes.
- `STARTUPINFOW.lpReserved` is officially “reserved”, but it is copied into `RTL_USER_PROCESS_PARAMETERS.ShellInfo`, making it another staging location.

Detection ideas
- Memory protection changes that make pages inside or adjacent to `CommandLine.Buffer`, `Environment`, or `ShellInfo.Buffer` executable.
- `NtQueryInformationProcess(ProcessBasicInformation)` followed by remote reads of `PEB.ProcessParameters`, then `NtSetContextThread` pointing `RIP/EIP` into process-parameter memory.
- Very long or binary-looking command lines / environment blocks, especially with high-entropy data, large `0x41` padding, or fake `NAME=VALUE` prefixes used only as shellcode wrappers.

### PE Injection

Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.
Expand Down Expand Up @@ -240,6 +273,7 @@ Common host processes and path resolution
- [Unit 42 – PhantomVAI Loader Delivers a Range of Infostealers](https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/)
- [MITRE ATT&CK – Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)](https://attack.mitre.org/techniques/T1127/001/)
- [VMDetector – virtualization checks (open-source)](https://github.com/robsonfelix/VMDetector)
- [Orange Cyberdefense – P³-Shellcode Loader / Process Parameter Poisoning](https://github.com/Orange-Cyberdefense/p3-loader)

{{#include ../banners/hacktricks-training.md}}

Expand Down