Skip to content

P³-Shellcode Loader - Process Parameter Poisoning#2489

Open
carlospolop wants to merge 1 commit into
masterfrom
update_P_-Shellcode_Loader_-_Process_Parameter_Poisonin_e30a732498b1a531
Open

P³-Shellcode Loader - Process Parameter Poisoning#2489
carlospolop wants to merge 1 commit into
masterfrom
update_P_-Shellcode_Loader_-_Process_Parameter_Poisonin_e30a732498b1a531

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://github.com/Orange-Cyberdefense/p3-loader
  • Blog Title: P³-Shellcode Loader - Process Parameter Poisoning
  • Suggested Section: Windows Hardening -> Antivirus (AV) Bypass, or a new Windows Process Injection / Windows Process Abuse subsection

🎯 Content Summary

P³-Shellcode Loader - Process Parameter Poisoning

P³-Shellcode Loader is a Windows proof-of-concept loader by Orange Cyberdefense that implements Process Parameter Poisoning (P³), a process-injection technique that uses normal CreateProcessW parameters as a remote staging location for shellcode. Instead of allocating and writing memory in a remote process with the classic VirtualAllocEx + WriteProcessMemory + CreateRemoteThrea...

🔧 Technical Details

Process Parameter Poisoning for stealthy shellcode staging: when an attacker controls process creation, they can smuggle payload bytes into a child process through normal CreateProcessW parameters. lpCommandLine lands in RTL_USER_PROCESS_PARAMETERS.CommandLine, lpEnvironment lands in Environment, and STARTUPINFOW.lpReserved is copied into ShellInfo. This converts process metadata into a remote staging buffer without using VirtualAllocEx or WriteProcessMemory.


Remote PEB walking to recover automatically copied payloads: after creating the target process, call NtQueryInformationProcess(ProcessBasicInformation) to retrieve PROCESS_BASIC_INFORMATION.PebBaseAddress. Read the target PEB, then read PEB.ProcessParameters as RTL_USER_PROCESS_PARAMETERS. The staged payload can then be addr...

🤖 Agent Actions

Done — I updated:

  • src/reversing/common-api-used-in-malware.md

What I added:

  • A new Process Parameter Poisoning (P³) subsection
  • Technical details on:
    • abusing CreateProcessW startup parameters as remote staging buffers
    • recovering payload addresses through PEB.ProcessParameters
    • using NtProtectVirtualMemory + NtSetContextThread for execution
    • null-byte/string-transport constraints
    • concise detection ideas
  • The Orange Cyberdefense source in the file’s final References section

Why this file:

  • It already contains adjacent Windows malware injection tradecraft like DLL injection, thread hijacking, and process hollowing, so this was the best non-duplicative location without creating a new page.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://github.com/Orange-Cyberdefense/p3-loader

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Antivirus (AV) Bypass, or a new Windows Process Injection / Windows Process Abuse subsection".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant