Windows C++ / Parent Process Detection
| Author | Unprotect |
| Platform | Windows |
| Language | C++ |
| Technique | Parent Process Detection |
Description:
This code uses the CreateToolhelp32Snapshot() and Process32First()/Process32Next() functions to iterate over all processes in the system and find the one with the same ID as the current process. It then checks the parent process ID of the current process, and compares it to 0 (the process ID of explorer.exe), to determine whether the parent process is explorer.exe or not. If the parent process is not explorer.exe, then the process is likely being monitored and the malware can take evasive action.
Code
#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>
int main()
{
// Get the current process ID
DWORD currentPID = GetCurrentProcessId();
// Create a snapshot of all processes in the system
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
// Initialize the process entry structure
PROCESSENTRY32 entry;
entry.dwSize = sizeof(entry);
// Iterate over all processes in the snapshot
if (Process32First(snapshot, &entry))
{
do
{
// Check if the current process is the one we're looking for
if (entry.th32ProcessID == currentPID)
{
// The parent process ID is the one we want
DWORD parentPID = entry.th32ParentProcessID;
// Check if the parent process is explorer.exe
if (parentPID == 0)
{
std::cout << "Parent process is explorer.exe" << std::endl;
}
else
{
std::cout << "Parent process is not explorer.exe" << std::endl;
}
break;
}
} while (Process32Next(snapshot, &entry));
}
// Clean up
CloseHandle(snapshot);
return 0;
}Created
December 7, 2022
Last Revised
April 22, 2024