Detect-KeAttachProcess by iterating through all processes as well as checking the context of the thread.

Overview

Detect-KeAttachProcess

Detect-KeAttachProcess - by iterating through all processes as well as checking the context of the thread.

Recently I started studying the KeAttachProcess system. And to be more specific, how exactly can you find out that your process is attached. And so, as soon as we start looking at the function, we see that it first gets the current context of the thread from which Keattachprocess was called.

Alt text

Also note that the PROCESS is passed to the "v2" variable from the argument, respectively, this is the target process to which the function is attached in the future.

The current thread of the process from which the function is called, as well as the PROCESS from the argument, are passed to the "KiAttachProcess" function.

Alt text

We switch to this function, and after studying it a little, we see that the target process (v2) is written to offset "0xB8" the current thread context.

Alt text

The further plan is as follows:

  1. Go through all the processes
  2. Go through all the threads of each process in the system
  3. Look in the context of each thread, what is the offset "0xB8".

If the current process is not attached to anything, usually the current "PEPROCESS" of the process itself is stored in the offset "0xB8", and if the current process was attached to any process, then the "PEPROCESS" target process will be written to the offset "0xB8".

I have implemented a check for this for every process in the system, and here is my result:

Alt Text

You might also like...
List & Read the processes memory using Windows APIs (PSAPI/ToolHelpAPI/WTSAPI)
List & Read the processes memory using Windows APIs (PSAPI/ToolHelpAPI/WTSAPI)

Dumper List & Read the processes memory using Windows APIs PSAPI ToolHelp WTSAPI Usage The Dumper tool list the running procceses and provide the abil

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Pty for Flutter. Provides the ability to create processes with pseudo terminal file descriptors.

flutter_pty This is an experimental package to explore the possibilities of using native code to implement PTY instead of pure FFI and blocking isolat

An Xposed module to detect or reject applist requests

Hide My Applist About this module Although "It is incorrect to detect specific app's installation", yet not every app using root provides random packa

A Simple tool to execute shellcode with the ability to detect mouse movement
A Simple tool to execute shellcode with the ability to detect mouse movement

Noobi A Simple tool to execute shellcode with the ability to detect mouse movement Features: Sandbox evasion through detecting mouse movement and chec

Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

rdtsc x86 instruction to detect virtual machines
rdtsc x86 instruction to detect virtual machines

rdtsc_detector rdtsc x86 instruction to detect virtual machines What is rdtsc? The Time Stamp Counter (TSC) is a 64-bit register present on all x86 pr

cpp write language detect model

LanguageDet C++ implementation of the Java language-detection library,and provides Python interface makes it easier to use in Python and is the fastes

A water tank level sensor **Built With WisBlock** to detect overflow and low level conditions.
A water tank level sensor **Built With WisBlock** to detect overflow and low level conditions.

RAK12014 Laser TOF sensor coming soon WisBlock Watertank Level Sensor Watertank Overflow detection using the RAKwireless WisBlock modules. It implemen

Owner
null
Acrylic effect for all existing Win32 context menus

AcrylicMenus This is a proof-of-concept tiny application that applies acrylic effect to almost all existing Win32 context menus on Windows 10 and Wind

null 392 Nov 29, 2022
A C++ header-only library for creating, displaying, iterating and manipulating dates

The ASAP date/time library for beautiful C++ code ASAP is a small, header-only date-time library for C++11 and beyond. It is heavily inspired by my gr

Leonardo Guilherme de Freitas 56 Oct 26, 2022
A C header file & shader for simulating colourblindness and checking contrast.

Colourblind A C header file & shader for simulating colourblindness and checking contrast. Make sure that your graphic design is suitable for the ~8%

Andrew Reece 23 Nov 18, 2022
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

lab52.io 48 Oct 31, 2022
Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll

RecycledGate This is just another implementation of Hellsgate + Halosgate/Tartarusgate. However, this implementation makes sure that all system calls

null 293 Nov 16, 2022
use classic context menu in Windows 11 file explorer

Classic Context Menu for Windows 11 Shell32Patcher allows you to use classic context menu in Windows 11 file explorer. Usage Uncheck 'Launch folder wi

null 18 Sep 17, 2022
Native context menu for Flutter apps

native_context_menu Native context menu for flutter apps Installation flutter pub add native_context_menu Usage import 'package:native_context_menu/na

Andrei Lesnitsky 147 Nov 12, 2022
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

Josh Schiavone 57 Sep 5, 2022
A tool to kill antimalware protected processes

Backstab Kill EDR Protected Processes Have these local admin credentials but the EDR is standing in the way? Unhooking or direct syscalls are not work

Yasser 1k Nov 22, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 Nov 9, 2022