_PEB
) that is accessible and writeable from the userland.nc.exe
- a rudimentary netcat reverse shell spawned by cmd.exe and the PID of 4620
:Path
field and the binary icon in the process properties view using ProcExplorer as seen in the below graphic. Note that it is the same nc.exe process (PID 4620) as shown above, only this time masquerading as a notepad.exe:nc.exe
process using WinDBG:0x020
of the PEB, there is another structure which is of interest to us - _RTL_USER_PROCESS_PARAMETERS
, which contains nc.exe process information. Let's inspect it further:0x060
of _RTL_USER_PROCESS_PARAMETERS
is also of interest to us - it contains a member ImagePathName
which points to a structure _UNICODE_STRING
that, as we will see later, contains a field Buffer
which effectively signifies the name/full path to our malicious binary nc.exe. Note how at the offset 0x70
we can see the commandline arguments of the malicious process, which we explored previously._UNICODE_STRING
structure:_UNICODE_STRING
structure describes the lenght of the string and also points to the actual memory location 0x00000000`005e280e
by the Buffer
field that contains the string which is a full path to our malicious binary.0x00000000`005e280e
by issuing the following command in WinDBG:0x00000000`005e280e
indeed contains the path to the binary, let's try to write a new string to that memory address. Say, let's try swapping the nc.exe with a path to the notepad.exe binary found in Windows\System32\notepad.exe:_UNICODE_STRING
structure again to see if the changes took effect:Lenght
value in the _UNICODE_STRING
structure is set to 0x1e (30 decimal) which equals to only 15 unicode characters:Buffer
is no longer getting truncated:_UNICODE_STRING
structure member Lenght
by setting it to 0:!peb
data, we can see a notepad.exe is now displayed in the Ldr.InMemoryOrderModuleList
memory structure!