In Windows 10 (1909), OwnerProcessID & InheritedFromUniqueProcessId is different

orchechik / check_spoof

GNU General Public License v3.0

2 stars 1 forks source link

In Windows 10 (1909), OwnerProcessID & InheritedFromUniqueProcessId is different #1

Open swjung703 opened 3 years ago

swjung703 commented 3 years ago

Hello. I've read the documentation because I'm very interested in the plugin you submitted for the volatility plugin contest.

However, I checked on Windows 10-1909 using windbg, and found that the values of InheritedFromUniqueProcessId and OwnerProcessId were different even in the normal case.

In the case of InheritedFromUniqueProcessId , it displays the value normally (explorer.exe), but in the case of OwnerProcessId, it outputs an unknown value.

How can I solve this problem?

swjung703 commented 3 years ago

그림1 This is Hxd's value in normal case not spoofing.

swjung703 commented 3 years ago

0x153c is explorer's PID. But 0x153e is doesn't exist