olliencc
commented
3 years ago is there any reasonable user land way to detect @JohnLaTwC ?
Open JohnLaTwC opened 3 years ago
olliencc
commented
3 years ago is there any reasonable user land way to detect @JohnLaTwC ?
olliencc
commented
3 years ago the only the way I can see to detect PPID spoofing is via ETW..
Omodaka9375
commented
3 years ago Afaik, UAC will also spoof your parent process by using svchost service name.
N3mes1s
commented
3 years ago reference to what @olliencc and @Omodaka9375 said about parent pid spoofing: https://blog.f-secure.com/detecting-parent-pid-spoofing/
Gulhanburcu
commented
1 year ago Tüm işlemleri iptal etmek istiyorum
https://github.com/Neo23x0/Raccine/blob/b8ea99ad4b4e393b3cab2639b33755a26d3a8868/raccine.cpp#L223
You may want to check out this article on parent pid spoofing. https://pentestlab.blog/2020/02/24/parent-pid-spoofing/