Add PPID spoofing for cursed commands and improve implant path resolution#2268
Draft
MKMithun2806 wants to merge 5 commits into
Draft
Add PPID spoofing for cursed commands and improve implant path resolution#2268MKMithun2806 wants to merge 5 commits into
MKMithun2806 wants to merge 5 commits into
Conversation
…e absolute path resolution in runner
rkervella
approved these changes
Jun 3, 2026
MKMithun2806
marked this pull request as draft
June 26, 2026 18:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Title
feat: Add PPID spoofing for cursed commands and improve implant path resolution
This PR implements several critical stealth improvements and resolves long-standing technical debt in the implant’s process execution and registration lifecycle.
These changes significantly enhance the framework’s OPSEC by giving operators better control over process lineage and ensuring reliable self-identification of the implant on target hosts.
Changes
1. PPID Spoofing for Cursed Commands
Operators can now spoof the Parent Process ID (PPID) when using the cursed suite of commands (
chrome,edge, andelectron).This allows spawned browser processes to appear as children of legitimate system processes (e.g.
explorer.exeorsvchost.exe), making them much harder for EDR solutions to detect based on anomalous process trees.--ppid/-Pflag to all browser-based cursed commandsExecutehandler for Windows targets2. Robust Implant Path Resolution
Resolved a long-standing
TODOin the implant registration logic.The implant now uses a more resilient method to determine its absolute path during initial check-in:
os.Args[0]ifos.Executable()fails3. Windows Locale Handling Cleanup
Cleaned up and properly documented hardcoded locale constants in the
jibberjabberpackage while maintaining full compatibility with the Windows API.Technical Details
feature/stealth-improvementsclient/command/cursed/commands.goimplant/sliver/handlers/handlers.goimplant/sliver/runner/runner.goimplant/sliver/spoof/spoof_generic.go(New file)Checklist