Parent Process Detection


Warning: Undefined array key 1 in /var/www/wptbox/wp-content/plugins/coblocks/src/blocks/gist/index.php on line 27

Warning: Undefined array key 1 in /var/www/wptbox/wp-content/plugins/coblocks/src/blocks/gist/index.php on line 27

By checking the parent process of a given process we can determine if the process is being debugged or not by expecting “explorer.exe” to be the usual parent process started by the user.
For this technique the following Windows APIs are used.

We also use a pointer to PROCESSENTRY32 structure which will store the information of each process taken from the snapshot.

[code language=”C”]
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;
[/code]

First we get the PID of the explorer.exe process by taking a snapshot of all process and enumerating through the list. Next we again take a snapshot and locate the current Process ID (PID) of our process by enumerating through the list and then we evaluate if the Parent Process ID (PPID) of our current process is equal to “explorer.exe”.
In case if someone rename something else as “explorer.exe” we can write more checks to determine if the parent process is equal “explorer.exe”.

Here’s an example I wrote in C.

https://github.com/OsandaMalith/Anti-Debug/blob/master/PPID/ppid.c

This is an example which I wrote in MASM.

https://github.com/OsandaMalith/Anti-Debug/blob/master/PPID/ppid.asm

Example when we normally run the program.

View post on imgur.com

View post on imgur.com

When the PPID is not equal to explorer.exe.

View post on imgur.com

View post on imgur.com

One thought on “Parent Process Detection

Leave a Reply