_PEB) that is accessible and writeable from the userland.
nc.exe- a rudimentary netcat reverse shell spawned by cmd.exe and the PID of
Pathfield and the binary icon in the process properties view using ProcExplorer as seen in the below graphic. Note that it is the same nc.exe process (PID 4620) as shown above, only this time masquerading as a notepad.exe:
nc.exeprocess using WinDBG:
0x020of the PEB, there is another structure which is of interest to us -
_RTL_USER_PROCESS_PARAMETERS, which contains nc.exe process information. Let's inspect it further:
_RTL_USER_PROCESS_PARAMETERSis also of interest to us - it contains a member
ImagePathNamewhich points to a structure
_UNICODE_STRINGthat, as we will see later, contains a field
Bufferwhich effectively signifies the name/full path to our malicious binary nc.exe. Note how at the offset
0x70we can see the commandline arguments of the malicious process, which we explored previously.
_UNICODE_STRINGstructure describes the lenght of the string and also points to the actual memory location
Bufferfield that contains the string which is a full path to our malicious binary.
0x00000000`005e280eby issuing the following command in WinDBG:
0x00000000`005e280eindeed contains the path to the binary, let's try to write a new string to that memory address. Say, let's try swapping the nc.exe with a path to the notepad.exe binary found in Windows\System32\notepad.exe:
_UNICODE_STRINGstructure again to see if the changes took effect:
Lenghtvalue in the
_UNICODE_STRINGstructure is set to 0x1e (30 decimal) which equals to only 15 unicode characters:
Bufferis no longer getting truncated:
Lenghtby setting it to 0:
!pebdata, we can see a notepad.exe is now displayed in the