fake父进程
因为steam的游戏他父进程必须是steam,但是x64dbg启动调试,父进程必须要为x64dbg,下面代码对x64dbg本身做了patch之后,x64dbg就没办法正常调试,此方法宣告失败。
#include "plugin.h"
#include <MinHook.h>
#include <windows.h>
#include <TlHelp32.h>
#include <cstdio>
inline void OutputDebug(const WCHAR* strOutputString, ...) {
WCHAR strBuffer[4096] = { 0 };
va_list vlArgs;
va_start(vlArgs, strOutputString);
//in stdio.h
_vsnwprintf_s(strBuffer, ARRAYSIZE(strBuffer) - 1, ARRAYSIZE(strBuffer) - 1, strOutputString, vlArgs);
va_end(vlArgs);
OutputDebugString(strBuffer);
}
BOOL GetProcessIdByName(const wchar_t* szProcessName, DWORD& dwPid);
BOOL
WINAPI
DetourCreateProcessW(
_In_opt_ LPCWSTR lpApplicationName,
_Inout_opt_ LPWSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCWSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOW lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
decltype(&DetourCreateProcessW) ori;
//Initialize your plugin data here.
bool pluginInit(PLUG_INITSTRUCT* initStruct) {
// Patch CreateProcessW
MH_STATUS Status = MH_Initialize();
if (Status != MH_OK) {
return false;
}
MH_CreateHook((LPVOID)&CreateProcessW, DetourCreateProcessW, (LPVOID*)&ori);
MH_EnableHook(MH_ALL_HOOKS);
return true; // Return false to cancel loading the plugin.
}
//Deinitialize your plugin data here.
void pluginStop()
{
}
//Do GUI/Menu related things here.
void pluginSetup()
{
}
BOOL
WINAPI
DetourCreateProcessW(
_In_opt_ LPCWSTR lpApplicationName,
_Inout_opt_ LPWSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCWSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOW lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation) {
DWORD steam_pid;
bool is_steam_exist;
OutputDebug(L"[x64dbg]启动进程 %ws\n", lpApplicationName);
is_steam_exist = GetProcessIdByName(L"steam.exe", steam_pid);
if (!is_steam_exist) {
return ori(lpApplicationName, lpCommandLine, lpProcessAttributes,
lpThreadAttributes, bInheritHandles, dwCreationFlags,
lpEnvironment, lpCurrentDirectory, lpStartupInfo,
lpProcessInformation);
} else {
OutputDebug(L"[x64dbg] steam id %x\n", steam_pid);
STARTUPINFOEX si;
SIZE_T attributeSize;
ZeroMemory(&si, sizeof(STARTUPINFOEX));
HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, steam_pid);
if (parentProcessHandle == NULL) {
OutputDebug(L"[x64dbg] Cant open steam\n");
}
InitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);
si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attributeSize);
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attributeSize);
UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
si.StartupInfo.cb = sizeof(STARTUPINFOEX);
return ori(lpApplicationName, lpCommandLine, lpProcessAttributes,
lpThreadAttributes, bInheritHandles, EXTENDED_STARTUPINFO_PRESENT,
lpEnvironment, lpCurrentDirectory, &si.StartupInfo,
lpProcessInformation);
}
}
BOOL GetProcessIdByName(const wchar_t *szProcessName, DWORD& dwPid)
{
HANDLE hSnapProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapProcess == NULL)
{
return FALSE;
}
PROCESSENTRY32 pe32 = { 0 };
RtlZeroMemory(&pe32, sizeof(pe32));
pe32.dwSize = sizeof(pe32);
BOOL bRet = Process32First(hSnapProcess, &pe32);
while (bRet)
{
if (wcsstr(pe32.szExeFile, szProcessName))
{
dwPid = pe32.th32ProcessID;
return TRUE;
}
bRet = Process32Next(hSnapProcess, &pe32);
}
return FALSE;
}
https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing