<MØHΞ/>

Cybersecurity enthusiast • Reverse Engineer • Full-stack developer. Passionate about secure systems, low-level programming, and breaking things to learn how they work.

Navigation

  • about
  • projects
  • Blog
  • contact

Connect

© 2026 <MØHΞ/>. Built with Next.js, Tailwind.

../PID spoofing

22 August 2025

PID spoofing is a technique where an attacker manipulates or fakes a process ID (PID) to hiding malicious activity on a system.
image

What is Parent Process ID (PPID) Spoofing?

EDR (Endpoint Detection and Response) systems often track parent-child relationships between processes on Windows. For example, If Microsoft Word (winword.exe) spawns rundll32.exe, the EDR may flag this as suspicious because Word normally doesn’t create that child process. Attackers can try to hide malicious activity by faking or spoofing the parent process of their malicious process.

What is the Goal?

The main goal of an attacker performing PPID spoofing is to evade detection by security tools. By masking the true parent process, the malicious process blends in with legitimate activity, avoids alerts from EDR systems, and can execute payloads stealthily without raising suspicion.

How spoofing Works?

The primary technique involves manipulating the child process’s attributes during creation, specifically using the CreateProcess API in Windows.This API allows specifying a parent process ID (PPID) through the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute.By setting this attribute, an attacker can assign a malicious process to appear as a child of a trusted parent process, such as explorer.exe.This manipulation enables the malicious process to inherit attributes like the current working directory and environment variables from the spoofed parent, potentially evading detection mechanisms that monitor parent-child process relationships.This technique was popularized by Didier Stevens in 2009, who demonstrated its effectiveness in bypassing security tools that rely on process lineage for detection.

Code

you can get the code here.We start by opening the target process that we want to be the parent of our process.

PROCESS_CREATE_PROCESS → needed to use hParent as the parent in UpdateProcThreadAttribute.
PROCESS_QUERY_INFORMATION → allows querying properties of the target process, useful for validation. this is optional.

Loading code block...

second step,prepares to create a new process while spoofing its parent process. It defines STARTUPINFOEXW siex to hold extended startup info and PROCESS_INFORMATION pi to receive the new process’s details like PID and handles.

It then queries Windows for the size needed to store one attribute (the parent process) using InitializeProcThreadAttributeList(NULL, 1, 0, &attrListSize), and allocates memory with HeapAlloc.

Finally, the attribute list is initialized with InitializeProcThreadAttributeList, making it ready to hold the parent process attribute. This allows the new process to appear as a child of a legitimate process, which is the core of PPID spoofing.

Loading code block...

sets the parent process attribute for the new process. UpdateProcThreadAttribute takes the initialized attribute list and assigns hParent as the parent process using PROC_THREAD_ATTRIBUTE_PARENT_PROCESS. If this fails, it cleans up the attribute list, frees the allocated memory, closes the parent handle, and exits. On success, it confirms that the parent process attribute is set.

Next, the code creates the child process (cmd.exe) using CreateProcessW with the EXTENDED_STARTUPINFO_PRESENT flag to apply the attribute list. CREATE_NEW_CONSOLE gives it a separate console. All standard options like security attributes, environment, and current directory are left default or inherited. If creation fails, the code performs full cleanup of handles and memory.

Loading code block...

Let's test the code

In this test, we are creating a cmd.exe process and spoofing its parent to be an unusual process, like Discord. Normally, Discord would never launch cmd.exe, so this is only for demonstration purposes.

After running the code, you can observe that cmd.exe now appears as a child of Discord in Task Manager or other process viewers. While the parent looks legitimate, the actual creator is the malware process (or test program) that executed the CreateProcess call.

we can see the cmd is under the discord
we can see the cmd is under the discord

Why This Evades Detection

  • EDRs typically look for abnormal parent-child relationships.
  • If the malicious process appears to have a trusted parent, the EDR may ignore it.
  • This is stealthy because Windows itself allows arbitrary parent assignment in the child’s attribute list.
We can see that it was able to evade detection, with only 1 out of 72 vendors flagging it and this was without applying any evasion techniques.
We can see that it was able to evade detection, with only 1 out of 72 vendors flagging it and this was without applying any evasion techniques.

How to detect using ETW

let's say the Malware process PID is 3000, and our malware called CreateProcess API to launch calc.exe.Malware uses PROC_THREAD_ATTRIBUTE_PARENT_PROCESS to make calc.exe’s parent PID look like it came from Explorer and let's say the PID for Explorer is 1500.

  • ETW will log:
    • Process ID: 5000 (calc.exe)
    • Parent PID: 1500 (Explorer.exe — spoofed)
    • Execution PID: 3000 (Malware.exe — actual process that executed it)

By comparing the execution PID with the parent PID, security tools can detect inconsistencies: the process claiming to be the parent (Explorer, 1500) did not actually launch the child; instead, the malware process (3000) did.

This mismatch is a strong indicator of PPID spoofing and can trigger alerts in EDR or custom monitoring solutions.