public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref STRUCTS.SECURITY_ATTRIBUTES lpProcessAttributes, ref STRUCTS.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, STRUCTS.ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STRUCTS.STARTUPINFOEX lpStartupInfo, out STRUCTS.PROCESS_INFORMATION lpProcessInformation);
public static IntPtr SpawnNewProtectedProcess(string parentProcess, string processName, string demoProcessToSpawn) { /*allocating memory shenanigans*/ STRUCTS.STARTUPINFOEX startInfoEx = new STRUCTS.STARTUPINFOEX(); STRUCTS.PROCESS_INFORMATION processInfo = new STRUCTS.PROCESS_INFORMATION(); startInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(startInfoEx); IntPtr lpValue = Marshal.AllocHGlobal(IntPtr.Size); STRUCTS.SECURITY_ATTRIBUTES processSecurity = new STRUCTS.SECURITY_ATTRIBUTES(); STRUCTS.SECURITY_ATTRIBUTES threadSecurity = new STRUCTS.SECURITY_ATTRIBUTES(); processSecurity.nLength = Marshal.SizeOf(processSecurity); threadSecurity.nLength = Marshal.SizeOf(threadSecurity); /*initializing the attributelist*/ var lpSize = IntPtr.Zero; IMPORTS.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize); startInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); IMPORTS.InitializeProcThreadAttributeList(startInfoEx.lpAttributeList, 2, 0, ref lpSize); /*writing the mitigation policy*/ Marshal.WriteIntPtr(lpValue, new IntPtr((long)STRUCTS.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE)); IMPORTS.UpdateProcThreadAttribute( startInfoEx.lpAttributeList, 0, (IntPtr)STRUCTS.ProcThreadAttribute.MITIGATION_POLICY, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero ); /*spoofing Parent*/ IntPtr parentHandle = Process.GetProcessesByName(parentProcess)[0].Handle; lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, parentHandle); IMPORTS.UpdateProcThreadAttribute( startInfoEx.lpAttributeList, 0, (IntPtr)STRUCTS.ProcThreadAttribute.PARENT_PROCESS, lpValue, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero ); IMPORTS.CreateProcess( null, "\"" + processName + "\"" + " " + demoProcessToSpawn, ref processSecurity, ref threadSecurity, false, STRUCTS.ProcessCreationFlags.CREATE_NEW_CONSOLE | STRUCTS.ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT, IntPtr.Zero, null, ref startInfoEx, out processInfo ); /*mem cleaning */ IMPORTS.DeleteProcThreadAttributeList(startInfoEx.lpAttributeList); Marshal.FreeHGlobal(startInfoEx.lpAttributeList); Marshal.FreeHGlobal(lpValue); Console.WriteLine("{0} started", processInfo.dwProcessId); return(processInfo.hProcess); }