What is this?

This is a small PoC (Proof of concept) that invokes NtCreateUserProcess to spawn a Command prompt. This also showcases PPID* (Parent Process ID) spoofing, where the parent is not the creator.

* You must have a valid handle to the parent process.

What is NtCreateUserProcess?

NtCreateUserProcess is lowest level API that spawns processes. Every WINAPI calls this.

Call chain from APIs to NtCreateUserProcess

kernel32.dll!CreateProcess
- CreateProcessInternalW
- - ntdll.dll!NtCreateUserProcess

ntdll.dll!RtlCreateUserProcessEx
- RtlpCreateUserProcess
- - ntdll.dll!NtCreateUserProcess

Requirements

Visual Studio
x86 or x64 machine (ARM or ARM64 is not tested)

Remarks

This API function is very buggy on Windows 10, that's where most other PoCs fail. Especially when the executable is Win32 (x86).

License

Please consider checking out my library Windows-Native

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
LICENSE.md		LICENSE.md
NtCreateUserProcess.sln		NtCreateUserProcess.sln
NtCreateUserProcess.vcxproj		NtCreateUserProcess.vcxproj
NtCreateUserProcess.vcxproj.user		NtCreateUserProcess.vcxproj.user
README.md		README.md
imports.h		imports.h
main.cpp		main.cpp

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

What is this?

What is NtCreateUserProcess?

Requirements

Remarks

About

Uh oh!

Releases

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

License

BlackOfWorld/NtCreateUserProcess

Folders and files

Latest commit

History

Repository files navigation

What is this?

What is NtCreateUserProcess?

Requirements

Remarks

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages