| View previous topic :: View next topic |
| Author |
Message |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
 Posted: Sat Nov 15, 2008 2:19 pm Post subject: hiding process in C++ !? |
 |
|
so i was wondering how would i hide a process in C++?
which means i won't see it on task manager while it's running
i remember i saw something about EPROCESS list or something like that
i'm not asking for code just link me for an explanation or explain here if u can that'd be great
i want to understand how it works
thank you :]
_________________
Stylo |
|
| Back to top |
|
 |
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sat Nov 15, 2008 2:56 pm Post subject: |
|
|
Well, for unlinking your process from the EPROCESS list you need a kernel mode driver.
And because you mentioned C++ (and I think you mean C++ for usermode apps, not kernelmode) you might find it easier to inject a dll into every process and hook functions like NtQuerySystemInformation and filter out your process. Then you don't need a driver.
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Sat Nov 15, 2008 3:27 pm Post subject: |
|
|
why hide the process if you Get Process running just protect the threads o0
and tombana u need to take a look at rootkit.com that method is mad old it can be bypassed by Object Handle Table:handles to Process Name, Csrss Reading the EPROCESS structs stored by the subsystem, Direct EPROCESS traversal looking for orphan's, PsCreateProcessNotifyRoutine(),PsSetImageNotifyRoutine()... and prolly a few more methods...like hooking KeInitThread()... the best method i can think of would be to have your own subsystem on top of the NATIVE subsystem(not the Win32_SubSystem) that loads conjuntively with Csrss..and cojoinly connects to smss ..this would prevent some of the csrsswalker from working on it but would be a heavyily identifiable method cause u have to add ur own SubSystem key in registry to provide a loading method.. but as to a hiden from Main() Usermode application that is virtually impossible .. ;}
|
|
| Back to top |
|
|
Overload
Master Cheater
 Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
| Posted: Sat Nov 15, 2008 3:36 pm Post subject: |
|
|
Just hide it using DKOM.
_________________
Blog
| Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sun Nov 16, 2008 6:15 am Post subject: |
|
|
thanks all for helping :]
if i'll have more question i'll ask here
_________________
Stylo |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Nov 16, 2008 9:47 am Post subject: |
|
|
| Have a look at ground zero. It is a driver that uses the FLink and BLink method to hide stuff.
|
|
| Back to top |
|
|
the_undead
Expert Cheater
 Reputation: 1
Joined: 12 Nov 2006
Posts: 235
Location: Johannesburg, South Africa
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sun Nov 16, 2008 1:21 pm Post subject: |
|
|
how come my compiler doesn't recognize PEPROCESS type?
i get PEPROCESS: undeclared identifier error
do i need to add some library to my project?
_________________
Stylo |
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Sun Nov 16, 2008 2:32 pm Post subject: |
|
|
You need DDK.
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Nov 16, 2008 3:36 pm Post subject: |
|
|
| I though you had to do that crap in ring0 not ring3....
|
|
| Back to top |
|
|
Overload
Master Cheater
Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
| Posted: Sun Nov 16, 2008 8:39 pm Post subject: |
|
|
| dnsi0 wrote: | | I though you had to do that crap in ring0 not ring3.... |
You do have to do it in ring0...
_________________
Blog
| Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
| Back to top |
|
|
BirdsEye
Advanced Cheater
![]() Reputation: 0
Joined: 05 Apr 2008
Posts: 94
|
| Posted: Sun Nov 16, 2008 9:12 pm Post subject: |
|
|
| dnsi0 wrote: | | I though you had to do that crap in ring0 not ring3.... |
Isn't that why 1qaz will have to code a driver if utilizing methods mentioned?
| sponge wrote: | | You need DDK. |
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Mon Nov 17, 2008 1:21 am Post subject: |
|
|
Check out the Cheat Engine Source section. It's one of the stickies.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
