From 51892a446582ad9be0fc0b0fdde95ba2cf4c9564 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 10 Jul 2026 02:49:49 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20P=C2=B3-Shellcode=20Loa?= =?UTF-8?q?der=20-=20Process=20Parameter=20Poisoning?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/reversing/common-api-used-in-malware.md | 34 +++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/src/reversing/common-api-used-in-malware.md b/src/reversing/common-api-used-in-malware.md index 4d318d961aa..8b6f441ad1b 100644 --- a/src/reversing/common-api-used-in-malware.md +++ b/src/reversing/common-api-used-in-malware.md @@ -150,6 +150,39 @@ Find a thread from a process and make it load a malicious DLL 4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory 5. Resume the thread loading the library: ResumeThread +### Process Parameter Poisoning (P³) + +`CreateProcessW` can be abused as a **remote staging primitive** because Windows copies several attacker-controlled startup parameters into the child process before it starts executing. Instead of the classic `VirtualAllocEx` + `WriteProcessMemory` + `CreateRemoteThread` chain, the payload is smuggled inside normal process metadata and later reached through the target `PEB.ProcessParameters`. + +Useful carriers copied into `RTL_USER_PROCESS_PARAMETERS`: +- `lpCommandLine` → `CommandLine.Buffer` +- `lpEnvironment` → `Environment` +- `STARTUPINFOW.lpReserved` → `ShellInfo.Buffer` + +Typical workflow: + +1. Create a child process with the payload embedded in `lpCommandLine`, `lpEnvironment`, or `STARTUPINFOW.lpReserved`. +2. Query `ProcessBasicInformation` with `NtQueryInformationProcess` to recover `PROCESS_BASIC_INFORMATION.PebBaseAddress`. +3. Read the remote `PEB`, then read `PEB.ProcessParameters` as `RTL_USER_PROCESS_PARAMETERS` to obtain the copied buffer address. +4. Change the protection of the staged bytes with `NtProtectVirtualMemory` / `VirtualProtectEx` (for example to `PAGE_EXECUTE_READ`). +5. Redirect the main thread to the staged buffer with `NtGetContextThread` + `NtSetContextThread` instead of creating a new remote thread. + +Why it is interesting +- Avoids the most monitored injection chain: no `VirtualAllocEx`, no `WriteProcessMemory`, no `NtWriteVirtualMemory`, no `CreateRemoteThread`. +- The payload lands in memory Windows already created for legitimate startup state, so the only clearly malicious steps may be the later protection change and control-flow pivot. +- The same pattern can be combined with thread hijacking / early-bird style execution because the staging and execution primitives are independent. + +Operational details +- `CreateProcessW` may **modify** the Unicode command-line buffer, so `lpCommandLine` must point to writable memory. +- `lpEnvironment` must respect the wide-char `NAME=VALUE\0...\0\0` layout; operators often prepend a fake variable such as `L"A="` and large padding before the shellcode. +- Because these transports are **string-like and null-terminated**, a first stage often needs **null-free shellcode** that later allocates/copies a second stage containing arbitrary bytes. +- `STARTUPINFOW.lpReserved` is officially “reserved”, but it is copied into `RTL_USER_PROCESS_PARAMETERS.ShellInfo`, making it another staging location. + +Detection ideas +- Memory protection changes that make pages inside or adjacent to `CommandLine.Buffer`, `Environment`, or `ShellInfo.Buffer` executable. +- `NtQueryInformationProcess(ProcessBasicInformation)` followed by remote reads of `PEB.ProcessParameters`, then `NtSetContextThread` pointing `RIP/EIP` into process-parameter memory. +- Very long or binary-looking command lines / environment blocks, especially with high-entropy data, large `0x41` padding, or fake `NAME=VALUE` prefixes used only as shellcode wrappers. + ### PE Injection Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there. @@ -240,6 +273,7 @@ Common host processes and path resolution - [Unit 42 – PhantomVAI Loader Delivers a Range of Infostealers](https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/) - [MITRE ATT&CK – Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)](https://attack.mitre.org/techniques/T1127/001/) - [VMDetector – virtualization checks (open-source)](https://github.com/robsonfelix/VMDetector) +- [Orange Cyberdefense – P³-Shellcode Loader / Process Parameter Poisoning](https://github.com/Orange-Cyberdefense/p3-loader) {{#include ../banners/hacktricks-training.md}}