Undetectable Packet Sniffer - How/Where ?!

[Armand]

some program is detecting my packet sniffer and exits while i'm trying to figure out if it's a melicious software or not...

at start i thought it's detecting my packet sniffer becouse it's so common [wireshark] but then i've tried a less common one [PacketMon] and it was also detected so i've tried to change it's title using AU3, and changed the process name by remaning the executable... that all have failed... any other go ?

PS. can this:

http://www.supershareware.com/download/pac...l-edition-.html

or this:

http://www.supershareware.com/info/packet-...x-edition-.html

help me make a packet sniffer in AU3 ?

please help me find a solution.

Edited December 28, 2007 by Armand

[dbeasy]

Not sure if autoit can help you there. It might help you continuously run "netstat -ano" and cross check the new processes that show up and what ports and ip addresses they are connecting too. Are both packet capture programs relying on winpcap, is that what's being detected? There's a site called AnalogX that has a network monitor that might not be detected.

Sometimes I disconnect the Internet and start up a packet monitor on another PC and put it on the same wire (use a hub not a switch). If you're on wifi then you'll see all the traffic.

I've never seen a program that doesn't like packet monitors, sounds like a suspicious program. I have heard that itunes doesn't like to be run under a debugger but a packet monitor, huh. You should also run antivirus in its strongest protection mode, make it confirm every program name change, file deletes, creates, etc. Sure it'll be annoying but once you feel the program is safe you can move it to your working PC or turn down the antivirus warnings a bit.

You could also run it in a sandbox. Get some of the vmware images online to run Windows inside of a virtual machine, it might take a while to reinstall a new copy of XP inside the VM. Or try one of the virtual PC programs from Microsoft, they somewhat virtualize Windows in a different way.

[Armand]

@dbeasy

well, the point is that i want to know what is it that they are hiding in there, i mean, why would they block packet sniffers?! what info are they trying to steal from me ?!

is there no packet-sniffer that is 100% undetectable ?!

[Armand]

no one has any suggestion ?!

[PsaltyDS]

A packet sniffer is a low-level process that gets close to the "iron" (hardware/driver level stuff). AutoIt is probably not the right language for even attempting to create one. Study up on C++, with emphasis on writing network drivers, and you'll be on the write track. AutoIt would only help you implement the use of some other packet sniffer that already had this low-level stuff worked out.

As for hiding it, to the extent that can be done, I hope white-hat hackers everywhere are working feverishly to defeat that and un-hide it!

Your problem is something "hidden", at least you don't know what process it is, killing your sniffers. The solution is to un-hide that process, not to hide yours.

Have you performed all the standard AV/Malware/RootKit detection/removal stuff? Is your computer a managed workstation that might be detecting your sniffer as malicious and removing it? Does it happen on other workstations in the same management context?