Skip to content
Reverse Engineering
Anti-Analysisintermediate

Parent Process Detection

Malware enumerates running processes to verify its parent is explorer.exe; an unexpected parent (e.g., a sandbox or analysis tool) triggers evasive behaviour.

When a user double-clicks a file in Windows Explorer, the resulting process has explorer.exe as its parent. Automated analysis systems (sandboxes, AV engines, malware labs) typically launch samples from a command-line runner, a monitoring service, or a web browser, giving the malware a different parent PID.

Malware exploits this by enumerating all running processes, resolving the parent PID of its own process, and comparing the parent's image name to an expected value such as explorer.exe. A mismatch indicates an artificial execution environment.

How it works

c
#include <windows.h>
#include <tlhelp32.h>
#include <string.h>

BOOL IsParentExplorer(void)
{
    DWORD dwCurrentPid = GetCurrentProcessId();
    DWORD dwParentPid  = 0;

    // Step 1: find own parent PID via process snapshot
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap == INVALID_HANDLE_VALUE) return FALSE;

    PROCESSENTRY32W pe = { .dwSize = sizeof(pe) };
    if (Process32FirstW(hSnap, &pe)) {
        do {
            if (pe.th32ProcessID == dwCurrentPid) {
                dwParentPid = pe.th32ParentProcessID;
                break;
            }
        } while (Process32NextW(hSnap, &pe));
    }

    // Step 2: resolve parent image name
    BOOL bIsExplorer = FALSE;
    if (Process32FirstW(hSnap, &pe)) {
        do {
            if (pe.th32ProcessID == dwParentPid) {
                bIsExplorer = (_wcsicmp(pe.szExeFile, L"explorer.exe") == 0);
                break;
            }
        } while (Process32NextW(hSnap, &pe));
    }

    CloseHandle(hSnap);
    return !bIsExplorer; // TRUE = suspicious parent
}

Some variants use NtQueryInformationProcess with ProcessBasicInformation to retrieve the parent PID from the PROCESS_BASIC_INFORMATION structure instead of taking a snapshot, avoiding the more easily flagged Toolhelp32 API set.

Detection & analysis

During analysis:

  • Spawn the sample from explorer.exe itself, or use tools that spoof the parent PID (Process Hacker → Create Process with Parent).
  • Use a debugger to patch the comparison result or NOP the conditional branch.
  • On automated sandboxes, configure the agent to launch samples as a child of explorer.exe.

Static / automated detection:

  • YARA: co-occurrence of CreateToolhelp32Snapshot, Process32First, Process32Next, and GetCurrentProcessId in the same binary.
  • Unprotect technique ID: U0404.
  • Monitor for processes that iterate the full process list immediately on startup — this is unusual for benign software.
Votes

Comments(0)