FermionScripts/Kernel32_CreateProcessW_monitor_child_procs.js at main · watson0x90/FermionScripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
const kernel32 = Module.findExportByName("kernel32.dll", "CreateProcessW");

if (kernel32) {
    Interceptor.attach(kernel32, {
        onEnter: function (args) {
            const lpApplicationName = args[0];
            const lpCommandLine = args[1];

            if (lpApplicationName) {
                send("[*] Creating process: " + lpApplicationName.readUtf16String());
            } else if (lpCommandLine) {
                send("[*] Creating process with command line: " + lpCommandLine.readUtf16String());
            }

            // Extract the process handle (which is the child process ID)
            this.processId = args[5].toInt32();
        },
        onLeave: function (retval) {
            if (retval.toInt32() !== 0) {
                send("[+] Child process created with PID: " + this.processId);

                // Attach to the child process by PID
                const childPid = this.processId;

                // Attach to the child process and hook into its functions
                attachAndMonitor(childPid);
            } else {
                send("[-] Failed to create child process");
            }
        }
    });
}

function attachAndMonitor(pid) {
    send("[*] Attaching to child process PID: " + pid);

    // Spawn and attach to the child process
    const session = Process.getModuleByName("ntdll.dll"); // Example: Monitoring ntdll.dll

    session.enumerateExports().forEach(function (exp) {
        send("Hooking: " + exp.name);
        try {
            Interceptor.attach(exp.address, {
                onEnter: function (args) {
                    send("[*] " + exp.name + " called");
                }
            });
        } catch (e) {
            send("[-] Error hooking: " + exp.name);
        }
    });
}