РусскийEnglishУкраїнськаDeutschEspañolFrançaisItalianoPolski

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Antivirus Forum

[Previous] [Index] [Next]

Process Hide

Author: 90210

The engine was released in 29A#7 magazine

Author's notes

"Phide" (process hide) is the engine for the low level process manipulating on kernel level, designed to be used by a userland process. It supports only nt-based systems (NT4, 2k, XP, 2k3). Process management is done through the playing with EPROCESS structures. Thread that calls engine MUST have read/write access to \Device\PhysicalMemory, otherwise engine will fail.

Features

The engine main features are:

• get EPROCESS offset for a given pid.
• hide the selected process by excluding its EPROCESS from the most low-level kernel process list, which starts from PsActiveProcessHead symbol.
• change selected process image name in run-time.
• patch UniqueProcess field in all ETHREADs that belong to the selected process to hide it from klister-like tools.
• process can be selected by pid or directly by its EPROCESS structure. This is useful when process is already hidden and you have to hide new thread from klister, because even one thread with a real pid of its process-creator will compromise the whole process.

Process hiding technique is the same, as in the 'fu' rootkit, but my goal was to make a small engine callable from r3. For now it's the only tool, which hides processes from klister (i have version 0.3 of this brilliant software).

Engine code doesn't rely on the hardcoded ntoskrnl offsets, that may vary from one servicepack to another. It only relays on the offsets of the needed EPROCESS and EHTREADS fields, because these structs are different in 4 types of nt-based oses.