Hi coders
I had a querry in my mind. Please help me with the soln. I thank you to all in advance.
The problem is I can hide any process in win 9x. with the undocumented RegisterServiceProcess api from kernel32.dll like this.

invoke GetModuleHandle, addr kernel
invoke GetProcAddress, eax, addr rsp
mov ebx, eax
push 1
push 0
call ebx

where
kernel db "kernel32.dll",0
rsp db "RegisterServiceprocess",0

but when it comes to win nt or win xp it does'nt work since it doesn?t have those api in kernel32.dll

My question is that how can we hide a process in win nt or win xp ???
Is there some other api or some other soln. Please explain.
Posted on 2004-10-02 05:55:34 by nickdigital
Get 29a magazine issue 7. There is an article by Yoda showing the way of hiding process on NT.
Posted on 2004-10-02 11:23:11 by arafel
A better way than y0da :)
Create a RemoteThread in another process, then execute the remote thread and then kill the parent process - NO PROCESS TO FIND :)

Microsoft used this method in a trojan/rat that uses the name logagent.exe, lives in system32 folder, purports to be a mediaplayer component.

Have a nice day :)
Posted on 2004-10-03 08:34:55 by Homer
Evilhomer
thank you so much..but can u please show me an example,how to do that
i mean createremotethread and then kill main process.will it not show in taskmanager and does it work on all os??? win nt or win xp???
thank you for ur inputs
nickdigital
Posted on 2004-10-03 08:53:25 by nickdigital
no - it's against the rules of this forum :)
Posted on 2004-10-03 09:14:26 by Homer
Evilhomer2k
thank you for ur help, i ll try to do it myself.
anyway, ur input was very good.
thanks once again
nickdigital
Posted on 2004-10-03 09:25:44 by nickdigital
This sounds evil. Anyone know how to find hidden processes that are running on your machine?
Posted on 2004-10-03 09:41:50 by JimG
This sounds evil. Anyone know how to find hidden processes that are running on your machine?


In 9x just above the shared memory (VA_SHARED by Matt P.) like it's 0x80000000+0x200000 is the start of process blocks. If you index 0x100 in your capable of finding every process name, you dont' need ring0 code to do this.

btw, as matt p. documents in his book calling GetProcessId and then unofsucating it will give you the address here.
Posted on 2004-10-03 16:00:52 by archphase
A better way than y0da :)
Create a RemoteThread in another process, then execute the remote thread and then kill the parent process - NO PROCESS TO FIND :)

Microsoft used this method in a trojan/rat that uses the name logagent.exe, lives in system32 folder, purports to be a mediaplayer component.

Have a nice day :)

There is more more better solution :)
Unlink process from EPROCESS chain NO hooking NO Problem
http://www.rootkit.com/project.php?id=12
Posted on 2004-10-03 16:36:24 by Criminal2
NT-only though. IMO a ring3 win32 solution is much more elegant. hook Process32First/Next as well as NtQuerySystemInformation for output from SystemInformation. as for hooking the api, use IAT or overwriting method.
Posted on 2004-10-04 00:38:53 by Drocon