Page 1 of 2
hide Process code, good !
Posted: Mon Jan 22, 2007 6:03 am
by end7
the code can hide any process in win2000 and winxp as well
Code: Select all
OpenWindow(0, 100, 200, 195, 260, "PureBasic Window", #PB_Window_SystemMenu | #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget)
Repeat
EventID = WaitWindowEvent()
If EventID = #PB_Event_CloseWindow ; If the user has pressed on the close button
Quit = 1
EndIf
Until Quit = 1
Posted: Mon Jan 22, 2007 7:05 am
by Tranquil
Where is the question? Or does your posting belong to the Tips&Tricks section?
Posted: Mon Jan 22, 2007 7:35 am
by end7
Tranquil wrote:Where is the question? Or does your posting belong to the Tips&Tricks section?
how to hide Process in windows 2003
Posted: Mon Jan 22, 2007 9:43 am
by Rings
Beside that point that this is absolutly hacker-stuff
(and you ask only such and TCPIP questions ) ,
it seems you want code some bot-stuff/viri .
Anyway,
your code did not work ( W2k SP4 ), wxp did.
Seems like a lot of peek&pokes for
writing in the PID-LIST at real memory........
You will find more infos to hide process
at Rootkit.com.
Posted: Mon Jan 22, 2007 1:15 pm
by SFSxOI
Why would you want to hide a process of a legitimately running program or service anyway? What would be the point?
Posted: Mon Jan 22, 2007 1:33 pm
by GedB
Perhaps he works for Sony.
Posted: Mon Jan 22, 2007 1:38 pm
by Derek
GedB wrote:Perhaps he works for Sony.
Re: hide Process code, good !
Posted: Mon Jan 22, 2007 4:09 pm
by eJan
end7 wrote:the code can hide any process in win2000 and winxp as well
Unfortunately, doesn't work on my XP pro.
Posted: Mon Jan 22, 2007 10:50 pm
by SFSxOI
maybe its service pack or update specific?
But I did borrow a part of it for my little snippets collection:
Code: Select all
Structure PROCESSENTRY32s
dwsize.l
cntusage.l
th32ProcessID.l
th32DefaultHeapID.l
th32ModuleID.l
cntThreads.l
th32ParentProcessID.l
pcPriClassBase.l
dwFlags.l
szExeFile.s{1024}
EndStructure
#TH32CS_SNAPPROCESS = $2
Procedure.l FindPid(s.s)
Process.PROCESSENTRY32s
ProcSnap.l
ProcSnap = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0)
If ProcSnap<>0
Process\dwsize=SizeOf(Process)
Process32First_(ProcSnap, Process)
While Process32Next_(ProcSnap, Process) > 0
If Process\szExeFile =s
ProcedureReturn Process\th32ProcessID
Break
EndIf
Wend
EndIf
EndProcedure
Thank You
Posted: Tue Jan 23, 2007 12:07 am
by rsts
I think Rings tagged it.
Can you explain to us a legitimate use for such code? As a developer, I don't want to hide my code and as a user I certainly don't want anyone 'hiding' code from me.
Why would this be done?
Posted: Tue Jan 23, 2007 12:11 am
by Kaeru Gaman
I'll second that.
Posted: Tue Jan 23, 2007 12:53 am
by SFSxOI
MS does that to you all the time, they just call it a 'feature'
and then when you find out about it its called a 'Bug'
then if it really causes a problem its called an 'Exploit'
then if its not so serious its put on a list and the fix is later called an 'Update'
rsts wrote:I think Rings tagged it.
.... as a user I certainly don't want anyone 'hiding' code from me.
Why would this be done?
Anyway...yes i'm of the same mind, even as novice as I am I question the legitimacy and need to hide a process also. However, maybe end7
was just putting together some neat code as a learning experience and actually got it to work...so...all happy that it worked he decided to share his creation with the rest of the forum.
Posted: Tue Jan 23, 2007 9:45 am
by Henrik
@End7 working fine on Xp pro sp2.
but how do you find a hidden process again ?
@rsts
Oh come on, then what about the legitimacy off all the "Injecting" stuff floating around in this forum, and the Execute from ram code. ect.
You just Can do this!, and this is atleast one way of doing it, and it's nice to know how it's done.
Now how do you find a hidden process then, i think that would be even more interesting.
And btw. i think Ricardo would be happy about this, he is/was trying prevent ppl from easily disableing the blocking stuff he had setup on the public library he is working on (or was working on ? ).
Best Henrik
Posted: Tue Jan 23, 2007 1:18 pm
by Henrik
Okay this will find the hidden process when it's hidden with End7 method.
It's a quick hack off some old hook stuff, but it works.
It don't show all the process but it show hidden one's with End7 method.
ill' try to make a better one that show all the process and modules, but need to dig out some sources first.. hmm.. :roll:
Code: Select all
EnableExplicit
Prototype.l PFNCreateToolhelp32Snapshot(dwFlags.l, th32ProcessID.l)
Prototype.b PFNProcess32First(hSnapshot.l, *lppe.PROCESSENTRY32)
Prototype.b PFNProcess32Next(hSnapshot.l, *lppe.PROCESSENTRY32)
Prototype.l PTHREAD_START_ROUTINE(lpThreadParameter.l)
Prototype.l PFNENUMPROCESSMODULES(hProcess.l, *lphModule.l, cb.l, lpcbNeeded.l)
Prototype.l PFNGETMODULEFILENAMEEXA(hProcess.l, hModule.l, lpFilename.l, nSize.l)
Procedure GetPidByName(name.s)
Protected hDLL.l, process_name.s
Protected PEntry.PROCESSENTRY32, hTool32.l
Protected pCreateToolhelp32Snapshot.PFNCreateToolhelp32Snapshot
Protected pProcess32First.PFNProcess32First
Protected pProcess32Next.PFNProcess32Next
Protected pid.l
hDLL = OpenLibrary(#PB_Any,"kernel32.dll")
If hDLL
pCreateToolhelp32Snapshot = GetFunction(hDLL,"CreateToolhelp32Snapshot")
pProcess32First = GetFunction(hDLL,"Process32First")
pProcess32Next = GetFunction(hDLL,"Process32Next")
Else
ProcedureReturn 0
EndIf
PEntry\dwSize = SizeOf(PROCESSENTRY32)
hTool32 = pCreateToolhelp32Snapshot(#TH32CS_SNAPPROCESS, 0)
pProcess32First(hTool32, @PEntry)
process_name = Space(#MAX_PATH)
CopyMemory(@PEntry\szExeFile,@process_name,#MAX_PATH)
If UCase(process_name) = UCase(name)
ProcedureReturn PEntry\th32ProcessID
EndIf
While pProcess32Next(hTool32, @PEntry) > 0
process_name = Space(#MAX_PATH)
CopyMemory(@PEntry\szExeFile,@process_name,#MAX_PATH)
If UCase(process_name) = UCase(name)
ProcedureReturn PEntry\th32ProcessID
EndIf
Wend
CloseLibrary(hDLL)
ProcedureReturn 0
EndProcedure
; We will require this function To get a module handle of our
; original module
Procedure EnumModules()
Protected Dim hMods.l(1024)
Protected cbNeeded.l, i.l, hProcess.l, m_hModPSAPI.l, loopcnt.l
Protected m_pfnEnumProcessModules.PFNENUMPROCESSMODULES,m_pfnGetModuleFileNameExA.PFNGETMODULEFILENAMEEXA
Protected szModName.s,pid.l,szLibFile.s,Hidden.l
For pid = 0 To 4096 Step 4
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, pid)
If hProcess ;= #Null
m_hModPSAPI = OpenLibrary(#PB_Any,"PSAPI.DLL")
If m_hModPSAPI
m_pfnEnumProcessModules = GetFunction(m_hModPSAPI, "EnumProcessModules")
m_pfnGetModuleFileNameExA = GetFunction(m_hModPSAPI, "GetModuleFileNameExA")
; 1024 * 4 = SizeOf(hMods)
If m_pfnEnumProcessModules(hProcess, hMods(), 1024*4, @cbNeeded) > 0
loopcnt = (cbNeeded / SizeOf(Long)) - 1 ; HMODULE = Long ? or a pointer ?
For i = 0 To loopcnt
szModName = Space(#MAX_PATH)
; Get the full path To the module's file.
If m_pfnGetModuleFileNameExA( hProcess, hMods(i), @szModName, Len(szModName)) > 0
If UCase(GetExtensionPart(szModName))="EXE"
If GetPidByName(GetFilePart(szModName))
; ** NORMAL PROCESS
;==================
Debug "======="
Debug szModName
Debug " pid " +Str(pid)
Debug"module count "+Str(loopcnt)
Debug "Normal Process!"
Debug "======="
Debug " "
Else
; ** HIDDEN PROCESS
;==================
Debug "* * * * * * * * * * * * * * * * * * * * * * * * * *"
Debug " "
Debug "HIDDEN PROCESS!"
Debug " "
Debug szModName
Debug " pid " +Str(pid)
Debug"module count "+Str(loopcnt)
Debug " "
Debug "** This Process! is Hidden **"
Debug " "
Debug "* * * * * * * * * * * * * * * * * * * * * * * * * *"
Debug " "
EndIf
EndIf
If szModName = szLibFile
CloseLibrary(m_hModPSAPI)
EndIf
EndIf
Next i
Else
; Hmm Dont' know what this is ?
; Debug "------"
; Debug "unknown Process" + " pid " +Str(pid)
;
; Debug "------"
; Debug " "
EndIf
Else
PrintN("Error loading PSAPI.DLL")
ProcedureReturn 0
EndIf
EndIf
If hProcess <> #Null
CloseHandle_(hProcess)
EndIf
Next
ProcedureReturn 0
EndProcedure
EnumModules()
Best Henrik
Posted: Wed Jan 24, 2007 9:41 am
by end7
Rings wrote:Beside that point that this is absolutly hacker-stuff
(and you ask only such and TCPIP questions ) ,
it seems you want code some bot-stuff/viri .
Anyway,
your code did not work ( W2k SP4 ), wxp did.
Seems like a lot of peek&pokes for
writing in the PID-LIST at real memory........
You will find more infos to hide process
at Rootkit.com.