Skip to content

Process Parameter Poisoning#2478

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Process_Parameter_Poisoning_089f7c7edfa54166
Open

Process Parameter Poisoning#2478
carlospolop wants to merge 1 commit into
masterfrom
update_Process_Parameter_Poisoning_089f7c7edfa54166

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

The blog introduces Process Parameter Poisoning (P3), a Windows process-injection and EDR-evasion technique developed by SensePost/Orange Cyberdefense. Instead of transferring payload bytes into a remote process with the classic VirtualAllocEx + WriteProcessMemory pattern, P3 abuses normal Windows process-creation behavior: attacker-controlled startup parameters passed to CreateProcessW are copied by Windows into the child pr...

🔧 Technical Details

Process-parameter shellcode transfer: Instead of using VirtualAllocEx and WriteProcessMemory to place bytes in a remote process, an attacker can put a payload into parameters that Windows naturally copies during CreateProcessW. Useful carriers are lpCommandLine, lpEnvironment with CREATE_UNICODE_ENVIRONMENT, and STARTUPINFO.lpReserved, which maps to RTL_USER_PROCESS_PARAMETERS.ShellInfo. After creation, the attacker queries PROCESS_BASIC_INFORMATION with NtQueryInformationProcess, reads the child PEB, follows PEB.ProcessParameters, and obtains pointers to CommandLine, Environment, or ShellInfo. This turns normal process creation into a covert payload-transfer mechanism.

Execution through thread-context manipulation: Once the copied payload address is known, the attacker c...

🤖 Agent Actions

Plan re-initialized and current state re-verified.

Confirmed:

  • the edited file is still:
    • src/windows-hardening/av-bypass.md
  • the P3 section still exists
  • both P3 references are still present

No final answer yet.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://sensepost.com/blog/2026/process-parameter-poisoning

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening > Antivirus (AV) Bypass / Windows Process Injection - add a page for Process Parameter Poisoning (P3)".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant