Parent Process ID Spoofing

View Spoofed Parent Process ID

An operator can check the Parent Process Id set for spoofing using the get_parent command.

Change Spoofed Parent Process ID

To change the spoofed PPID, use the set_parent command with a valid process ID. Your badger should have privileges to open a HANDLE to this PID, without which the spoofing would fail. There is no default process set for spoofing. When you set a PID to spoof the parent process, all types of process creation by the badger will be affected by this. This includes creating new process and fetching the output of fork&run commands. The help set_parent command returns Affected Commands which specify the list of commands which will be affected by set_parent.

Disable Parent Process ID Spoofing

To disable PPID spoofing, use the clear_parent command.