Challenge 17: 32-Bit Process Evasion

Medium Execution Evasion Target: Rule Architecture

Objective

Execute a 32-bit process to prevent the EDR from correctly reading its command line.

Scanner Behavior

The EDR reads command lines using hardcoded 64-bit PEB offsets:

# ProcessParameters at PEB + 0x20 (64-bit)
ReadProcessMemory(hProc,
    cast[LPCVOID](pebAddr + 0x20'u64), ...)

# CommandLine at ProcessParameters + 0x70 (64-bit)
ReadProcessMemory(hProc,
    cast[LPCVOID](procParams + 0x70'u64), ...)

For 32-bit (WoW64) processes, the PEB has different offsets:

  • ProcessParameters is at PEB + 0x10 (not 0x20)
  • CommandLine is at ProcessParameters + 0x40 (not 0x70)

Rules

  • Compile or use a 32-bit executable
  • Execute it with suspicious command-line arguments
  • Show that the EDR reads garbage or empty command line data

Hints

Hint 1 The 32-bit PEB has a different layout than the 64-bit PEB. The EDR only knows 64-bit offsets.
Hint 2 C:\Windows\SysWOW64\cmd.exe is a 32-bit version of cmd.exe.
Hint 3 Reading at wrong offsets means the EDR gets garbage data (wrong memory addresses). The ReadProcessMemory call will either fail or return meaningless bytes.