| View previous topic :: View next topic |
| Author |
Message |
oib111
I post too much
 Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
 Posted: Thu Sep 04, 2008 7:59 pm Post subject: Hiding Processes |
 |
|
I was trying to learn how to hide processes and all I could find was this piece of code...it was seriously everywhere 
| Code: |
typedef DWORD (WINAPI *TRegisterServiceProcess)(DWORD,DWORD);
bool registered=false;
//-----------------------------------------------------------------------
void __fastcall reg(bool which) //true=register, false=unregister
{
HMODULE hmod;
TRegisterServiceProcess pReg;
hmod = LoadLibrary("kernel32.dll");
if (!hmod) return;
(FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess");
if (!pReg) {FreeLibrary(hmod); return;}
else
{
if (which)
pReg(0,1); //unregister our process
else
pReg(0,0);
}
registered = true;
FreeLibrary(hmod);
}
|
The only thing is that Visual Studio complains that "the operator left of '=' cannot be typecasted." Something like that. If this doesn't work do I need to create a driver to hide my process or could I do it from a normal executable program? And can't I just make it so that my program's Flink's Blink's is my programs Blink and my programs Blink's Flink is my program Flink?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
 |
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Thu Sep 04, 2008 8:03 pm Post subject: |
|
|
Unlink EPROCESS.
_________________
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Thu Sep 04, 2008 8:28 pm Post subject: |
|
|
How exactly may I do that? I tried looking it up but all I got was programs that DETECT processes like those.
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
 Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Tue Sep 09, 2008 6:13 pm Post subject: |
|
|
| Code: |
EPROCESS *myProc;
//get it... don't remember quite how
myProc->Blink->Flink = myProc->Flink;
myProc->Flink->Blink = myProc->Blink;
|
_________________
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Sep 09, 2008 6:16 pm Post subject: |
|
|
So is this source correct (I made it myself)?
| Code: |
#include "ntddk.h"
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) {
PEPROCESS pEprocess = PsGetCurrentProcess();
LIST_ENTRY process_list_entry = pEprocess->ActiveProcessLinks;
process_list_entry.Flink->Blink = process_list_entry.Blink;
process_list_entry.Blink->Flink = process_list_entry.Flink;
pDriverObject->DriverUnload;
return STATUS_SUCCESS;
}
|
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
Renkokuken
GO Moderator
![]() Reputation: 4
Joined: 22 Oct 2006
Posts: 3249
|
| Posted: Tue Sep 09, 2008 6:26 pm Post subject: |
|
|
| Code: | | (FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess"); |
About the first code, you're applying typecasting to left-hand value. Not allowed. Invalid anyway, if you have the function prototype, you're supposed to cast it with that.
| Code: | | pReg = (TRegisterServiceProcess)GetProcAddress( hmod, "RegisterServiceProcess" ); |
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Sep 09, 2008 6:33 pm Post subject: |
|
|
Thanks Renko. But is there any chance that won't work. Because I heard that that code only worked for 98/2000/NT.
EDIT:
Just tested it doesn't work for XP 
Btw, what designates the current process in PsGetCurrentProcess? Is it the program that loaded the driver?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
UnLmtD
Grandmaster Cheater
 Reputation: 0
Joined: 13 Mar 2007
Posts: 894
Location: Canada
|
| Posted: Tue Sep 09, 2008 6:45 pm Post subject: |
|
|
Your code is flawed (the attempt to use DKOM), take a look at FU/FUTo source codes. Also you may want to read about how this stuff works, it will help, a lot.
_________________
|
|
| Back to top |
|
|
Renkokuken
GO Moderator
![]() Reputation: 4
Joined: 22 Oct 2006
Posts: 3249
|
| Posted: Tue Sep 09, 2008 6:47 pm Post subject: |
|
|
| UnLmtD wrote: | | Your code is flawed (the attempt to use DKOM), take a look at FU/FUTo source codes. Also you may want to read about how this stuff works, it will help, a lot. |
Didn't you make an example of this method? I believe it was called GroundZero. oib could look for that, it should be on the forums somewhere. :P
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Sep 09, 2008 6:53 pm Post subject: |
|
|
That would be helpful. If you still have the link it would be appreciated.
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
Renkokuken
GO Moderator
![]() Reputation: 4
Joined: 22 Oct 2006
Posts: 3249
|
|
| Back to top |
|
|
UnLmtD
Grandmaster Cheater
Reputation: 0
Joined: 13 Mar 2007
Posts: 894
Location: Canada
|
| Posted: Tue Sep 09, 2008 7:02 pm Post subject: |
|
|
Oh wow! damn, it's still here. Well, at the time I was just starting out, so don't flame me for the bad coded code. I would suggest you to look into FU/FUTo source codes.
omg I used WriteFile 
BTW, hiding an object with DKOM is easily detected without modifying/hooking any other stuff.
_________________
|
|
| Back to top |
|
|
Renkokuken
GO Moderator
![]() Reputation: 4
Joined: 22 Oct 2006
Posts: 3249
|
| Posted: Tue Sep 09, 2008 7:14 pm Post subject: |
|
|
| UnLmtD wrote: | Oh wow! damn, it's still here. Well, at the time I was just starting out, so don't flame me for the bad coded code. I would suggest you to look into FU/FUTo source codes.
omg I used WriteFile
BTW, hiding an object with DKOM is easily detected without modifying/hooking any other stuff. |
:P I know how it feels, I could find some of my old work and be surprised on what the hell I used to do as well, haha.
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Sep 09, 2008 7:19 pm Post subject: |
|
|
I tried searching google but I couldn't find the source for FUTo. Btw, I don't get what you're doing (or the point of it) before you call PsLookupProcessByProcessID(). So this code:
| Code: |
pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);//provides us with our IO_STACK_LOCATION
if(pIoStackIrp && Irp->MdlAddress)
{
target = (var *)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
if(target)
{
if(pIoStackIrp->Parameters.Write.Length == sizeof(var))
{
|
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
Last edited by oib111 on Tue Sep 09, 2008 7:32 pm; edited 1 time in total |
|
| Back to top |
|
|
UnLmtD
Grandmaster Cheater
Reputation: 0
Joined: 13 Mar 2007
Posts: 894
Location: Canada
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
