hide Process code, good !

[end7]

the code can hide any process in win2000 and winxp as well

Code: Select all

OpenWindow(0, 100, 200, 195, 260, "PureBasic Window", #PB_Window_SystemMenu | #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget)
Repeat
   EventID = WaitWindowEvent()

   If EventID = #PB_Event_CloseWindow  ; If the user has pressed on the close button
      Quit = 1
   EndIf

Until Quit = 1

[Tranquil]

Where is the question? Or does your posting belong to the Tips&Tricks section?

[end7]

Where is the question? Or does your posting belong to the Tips&Tricks section?

how to hide Process in windows 2003

[Rings]

Beside that point that this is absolutly hacker-stuff
(and you ask only such and TCPIP questions ) ,
it seems you want code some bot-stuff/viri .

Anyway,
your code did not work ( W2k SP4 ), wxp did.
Seems like a lot of peek&pokes for
writing in the PID-LIST at real memory........

You will find more infos to hide process
at Rootkit.com.

[SFSxOI]

Why would you want to hide a process of a legitimately running program or service anyway? What would be the point?

[GedB]

Perhaps he works for Sony.

[Derek]

Perhaps he works for Sony.

[eJan]

the code can hide any process in win2000 and winxp as well

Unfortunately, doesn't work on my XP pro.

[SFSxOI]

maybe its service pack or update specific?

But I did borrow a part of it for my little snippets collection:

Code: Select all

Structure PROCESSENTRY32s 
    dwsize.l 
    cntusage.l 
    th32ProcessID.l 
    th32DefaultHeapID.l 
    th32ModuleID.l 
    cntThreads.l 
    th32ParentProcessID.l 
    pcPriClassBase.l 
    dwFlags.l 
    szExeFile.s{1024} 
EndStructure 
#TH32CS_SNAPPROCESS = $2 

Procedure.l FindPid(s.s) 
Process.PROCESSENTRY32s 
ProcSnap.l 
ProcSnap = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0) 
If ProcSnap<>0 
  Process\dwsize=SizeOf(Process) 
  Process32First_(ProcSnap, Process) 
  While Process32Next_(ProcSnap, Process) > 0 
    If Process\szExeFile =s 
      ProcedureReturn Process\th32ProcessID 
      Break 
    EndIf 
  Wend 
EndIf 
EndProcedure 

Thank You

[rsts]

I think Rings tagged it.

Can you explain to us a legitimate use for such code? As a developer, I don't want to hide my code and as a user I certainly don't want anyone 'hiding' code from me.

Why would this be done?

[Kaeru Gaman]

I'll second that.

[SFSxOI]

MS does that to you all the time, they just call it a 'feature' and then when you find out about it its called a 'Bug' then if it really causes a problem its called an 'Exploit' then if its not so serious its put on a list and the fix is later called an 'Update'

I think Rings tagged it.

.... as a user I certainly don't want anyone 'hiding' code from me.

Why would this be done?

Anyway...yes i'm of the same mind, even as novice as I am I question the legitimacy and need to hide a process also. However, maybe end7
was just putting together some neat code as a learning experience and actually got it to work...so...all happy that it worked he decided to share his creation with the rest of the forum.

[Henrik]

@End7 working fine on Xp pro sp2.
but how do you find a hidden process again ?

@rsts
Oh come on, then what about the legitimacy off all the "Injecting" stuff floating around in this forum, and the Execute from ram code. ect.

You just Can do this!, and this is atleast one way of doing it, and it's nice to know how it's done.
Now how do you find a hidden process then, i think that would be even more interesting.

And btw. i think Ricardo would be happy about this, he is/was trying prevent ppl from easily disableing the blocking stuff he had setup on the public library he is working on (or was working on ? ).

Best Henrik

[Henrik]

Okay this will find the hidden process when it's hidden with End7 method.

It's a quick hack off some old hook stuff, but it works.
It don't show all the process but it show hidden one's with End7 method.

ill' try to make a better one that show all the process and modules, but need to dig out some sources first.. hmm.. :roll:

Code: Select all

EnableExplicit

Prototype.l PFNCreateToolhelp32Snapshot(dwFlags.l, th32ProcessID.l)
Prototype.b PFNProcess32First(hSnapshot.l, *lppe.PROCESSENTRY32)
Prototype.b PFNProcess32Next(hSnapshot.l, *lppe.PROCESSENTRY32)
Prototype.l PTHREAD_START_ROUTINE(lpThreadParameter.l)
Prototype.l PFNENUMPROCESSMODULES(hProcess.l, *lphModule.l, cb.l, lpcbNeeded.l)
Prototype.l PFNGETMODULEFILENAMEEXA(hProcess.l,  hModule.l, lpFilename.l, nSize.l)



Procedure GetPidByName(name.s)
    Protected hDLL.l, process_name.s
    Protected PEntry.PROCESSENTRY32, hTool32.l
    Protected pCreateToolhelp32Snapshot.PFNCreateToolhelp32Snapshot
    Protected pProcess32First.PFNProcess32First
    Protected pProcess32Next.PFNProcess32Next
    Protected pid.l
    
    hDLL = OpenLibrary(#PB_Any,"kernel32.dll")
    If hDLL
      
        pCreateToolhelp32Snapshot = GetFunction(hDLL,"CreateToolhelp32Snapshot")
        pProcess32First = GetFunction(hDLL,"Process32First")
        pProcess32Next = GetFunction(hDLL,"Process32Next")
    Else
        ProcedureReturn 0
    EndIf
    
    PEntry\dwSize = SizeOf(PROCESSENTRY32)
    hTool32 = pCreateToolhelp32Snapshot(#TH32CS_SNAPPROCESS, 0)
    pProcess32First(hTool32, @PEntry)
    process_name = Space(#MAX_PATH)
    CopyMemory(@PEntry\szExeFile,@process_name,#MAX_PATH)
    If  UCase(process_name) = UCase(name)
        ProcedureReturn PEntry\th32ProcessID
    EndIf
    While pProcess32Next(hTool32, @PEntry) > 0
        process_name = Space(#MAX_PATH)

        CopyMemory(@PEntry\szExeFile,@process_name,#MAX_PATH)
        If  UCase(process_name) = UCase(name)
            ProcedureReturn PEntry\th32ProcessID
        EndIf
    Wend
    
    CloseLibrary(hDLL)
    
    ProcedureReturn 0
EndProcedure

; We will require this function To get a module handle of our
; original module
Procedure EnumModules()
    Protected Dim hMods.l(1024)
    Protected cbNeeded.l, i.l, hProcess.l, m_hModPSAPI.l, loopcnt.l
    Protected m_pfnEnumProcessModules.PFNENUMPROCESSMODULES,m_pfnGetModuleFileNameExA.PFNGETMODULEFILENAMEEXA
    Protected szModName.s,pid.l,szLibFile.s,Hidden.l
    
    For pid = 0 To 4096 Step 4
        
        hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, pid)
        If hProcess ;= #Null
           
            m_hModPSAPI = OpenLibrary(#PB_Any,"PSAPI.DLL")
           
            If m_hModPSAPI
               
                m_pfnEnumProcessModules   = GetFunction(m_hModPSAPI, "EnumProcessModules")
                m_pfnGetModuleFileNameExA = GetFunction(m_hModPSAPI, "GetModuleFileNameExA")
                
                ; 1024 * 4 = SizeOf(hMods)
                If m_pfnEnumProcessModules(hProcess, hMods(), 1024*4, @cbNeeded) > 0
                    loopcnt =  (cbNeeded / SizeOf(Long)) - 1  ; HMODULE = Long ? or a pointer ?
                   
                    
                    For i = 0 To loopcnt
                        szModName = Space(#MAX_PATH)
                        ; Get the full path To the module's file.
                        If  m_pfnGetModuleFileNameExA( hProcess, hMods(i), @szModName, Len(szModName)) > 0
                            
                            If UCase(GetExtensionPart(szModName))="EXE"
                                
                                
                                If GetPidByName(GetFilePart(szModName))
; ** NORMAL PROCESS
;================== 
                                    Debug "======="
                                    Debug szModName
                                    Debug " pid " +Str(pid)
                                    Debug"module count "+Str(loopcnt)
                                    Debug "Normal Process!"
                                    Debug "======="
                                    Debug " "
                                Else
; ** HIDDEN PROCESS
;==================                                
                                    Debug "* * * * * * * * * * * * * * * * * * * * * * * * * *"
                                    Debug " "
                                    Debug "HIDDEN PROCESS!"
                                    Debug " "
                                    Debug szModName
                                    Debug " pid " +Str(pid)
                                    Debug"module count "+Str(loopcnt)
                                    Debug " "
                                    Debug "** This Process! is Hidden **"
                                    Debug " "
                                    Debug "* * * * * * * * * * * * * * * * * * * * * * * * * *"
                                    Debug " "
                                EndIf
                               
                            EndIf
                            If szModName = szLibFile
                                CloseLibrary(m_hModPSAPI)
                               
                            EndIf
                        EndIf
                    Next i
                Else
; Hmm Dont' know what this is ?
;                         Debug "------"
;                         Debug "unknown Process" + " pid " +Str(pid)
;
;                         Debug "------"
;                         Debug " "
                EndIf
            Else
                PrintN("Error loading PSAPI.DLL")
                ProcedureReturn 0
            EndIf
        EndIf
        If hProcess <> #Null
            CloseHandle_(hProcess)
        EndIf
    Next
    ProcedureReturn 0
EndProcedure




EnumModules()

Best Henrik

[end7]

Beside that point that this is absolutly hacker-stuff
(and you ask only such and TCPIP questions ) ,
it seems you want code some bot-stuff/viri .

Anyway,
your code did not work ( W2k SP4 ), wxp did.
Seems like a lot of peek&pokes for
writing in the PID-LIST at real memory........

You will find more infos to hide process
at Rootkit.com.