Challenge 17: 32-Bit Process Evasion
Objective
Execute a 32-bit process to prevent the EDR from correctly reading its command line.
Scanner Behavior
The EDR reads command lines using hardcoded 64-bit PEB offsets:
# ProcessParameters at PEB + 0x20 (64-bit)
ReadProcessMemory(hProc,
cast[LPCVOID](pebAddr + 0x20'u64), ...)
# CommandLine at ProcessParameters + 0x70 (64-bit)
ReadProcessMemory(hProc,
cast[LPCVOID](procParams + 0x70'u64), ...)
For 32-bit (WoW64) processes, the PEB has different offsets:
- ProcessParameters is at PEB + 0x10 (not 0x20)
- CommandLine is at ProcessParameters + 0x40 (not 0x70)
Rules
- Compile or use a 32-bit executable
- Execute it with suspicious command-line arguments
- Show that the EDR reads garbage or empty command line data
Hints
Hint 1
The 32-bit PEB has a different layout than the 64-bit PEB. The EDR only knows 64-bit offsets.Hint 2
C:\Windows\SysWOW64\cmd.exe is a 32-bit version of cmd.exe.
Hint 3
Reading at wrong offsets means the EDR gets garbage data (wrong memory addresses). TheReadProcessMemory call will either fail or return meaningless bytes.
MostShittyEDR