Results 1 to 6 of 6

Thread: CodeProject: Driver to Hide Processes and Files

  1. #1

    CodeProject: Driver to Hide Processes and Files

    Nothing new but yet interesting:

    http://www.codeproject.com/KB/tips/hide-driver.aspx

  2. #2
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Old information. You find plenty of these samples on rootkit.com. Morover, it's rather obsolete since on x64 you can't do SDT hooking nor ntoskrnl patching (patch guard). Last but not least, on vista x64 >= you have to sign drivers. Signatures for rootkits are obtained and kept only by gov agencies.

    The best way to hide a driver is not trying to. Combine this strategy with maybe a polymorphic engine and the driver becomes very difficult to detect.

  3. #3
    I agree with Daniel, the best way to stay unoticed is to do not hide driver, and to be as much as possible compatible with the system, thus user will not see anything suspicious and you are safe.

  4. #4
    The article is about how to hide processes/files not drivers
    For driver hidding it's better to use drivers infection or using a launcher driver to mapp the real driver code into Nonpaged memory pools then unload the launcher ...

  5. #5
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Well, actually the point was that it uses the same techniques used by many rootkits/mw, such as hooking NtQueryDirectoryFile in kernel mode. So, the same applies to user mode mw. If you mean that it shouldn't be used by rk/mw and that it's _just_ a way to hide files, then I would absolutely discourage people from hooking the SDT to hide a file. The right way is writing an FS filter. Because, like I said above, on x64 this system doesn't work (in kernel mode), it's obsolete.

    Manualy mapping the driver in nonpaged pool isn't the best technique as well. If you're a driver which interacts with the system you are likely to register callbacks etc. I could build an anti rootkit tool which looks at all registered callbacks etc and checks if there is one contained in a memory location with no associated driver. It's not 100% proof of a rootkit, but it could help reveal anomalities.

  6. #6
    well anyway, if it was for hiding process/drivers you achive same results either by unlinking process from eprocess or driver from PsLoadedModulesList, but that's not it, still you are visible. The best way -> put some files into c:\windows\system32, load driver with not suspicious name, be compatible with the system, and everything will be just fine imho

Similar Threads

  1. Softice Hide Tool
    By Elenil in forum Tools of Our Trade (TOT) Messageboard
    Replies: 39
    Last Post: July 22nd, 2009, 16:02
  2. Why Protected Processes Are A Bad Idea
    By Alex Ionescu Blog in forum Blogs Forum
    Replies: 3
    Last Post: December 11th, 2007, 14:52
  3. Searching for Hide Debugger plugin to download !!!!
    By tim mactroy in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 29th, 2005, 03:20
  4. Can Someone Post a link For Hide Debugger that Actually works?
    By dm47 in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 23rd, 2005, 20:44
  5. Softice: Hide and Seek
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: February 3rd, 2004, 07:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •