landhb / hideprocess Goto Github PK
View Code? Open in Web Editor NEWA basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager
A basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager
Hi Bro,
Pleased to see you!
64 bit operating system
Add driver signature, can you use ?
Thank you!
hello, I want to know how to compile the loader with MinGW I already setup it on my windows 7 x64 and I don't have any idea what I write on cmd to extract the dkom.exe file I put the makefile in dir C:\MinGW\bin and loader folder and tools also, what next?
please help <3 or someone give me a tutorial
Error loading driver: 系统找不到指定的路径。
Doesn't exist, installing new SCM entry...
I try to use it in a win 7 64 bit installation with Driver Signing check and Patchguard disabled.
When I try to hide a process I obtain this output:
I have compiled the driver in Visual Studio 2017 runned in Win10, and I checked the follow option:
Driver Setting:
Target OS Version = Windows 7
Target Platform = Desktop
Platform = x64
Configuration Manager
Active Solution Platform = x64
Platform = x64
About the loader, have compiled it use the command "make 64bit"
Thanks
I use visual studio 2017 to build this project, but has a error that is lost ndis_debug.h and tcphook.h
Hi, i'm trying to build a dkom following your guide and using your code.
I followed all step, but when i use the .exe, and error occurred.
I used Visual studio 2017, latest version of SDK (version 1809) and WDK (version 1809). The building in Visual Studio not give me problem and create the Rootkit.sys. Then, thinking that the problem is the path, i copy this in every position of my computer, and try to modify the path in loader.c many times, but the error is unresolved. I try to build it as 64bit or 32bit, but nothing has changed. I'm seeing the code in loader.c, and i think that the problem is the starting of service. Do you have any idea? What are blocking the createservice?
I'm trying it in VM windows 7, 64bit.
Thanks in advance.
Hi! We have are BSOD on loading driver in 7x64.
Dump:
dmp file
As the title says, I have been testing this and after 2 minutes of hiding your process the system just freezes.
Is it because of this windows build maybe ?
Compiling and running the driver was very easy, it worked like a charm.
after 30 min win10 1511
I know it's a POC, but I thought it would be good to fix this anyway -
There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid).
HideProcess/driver/irphandlers.c
Line 60 in 99d7a72
The output buffer's length is not checked
HideProcess/driver/irphandlers.c
Line 92 in 99d7a72
This memory is not freed anywhere
HideProcess/driver/hideprocess.c
Line 7 in 99d7a72
This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer?
HideProcess/driver/hideprocess.c
Line 29 in 99d7a72
This string is not used anywhere (copied from the microsoft ioctl sample:) )
HideProcess/driver/irphandlers.c
Line 43 in 99d7a72
Here, you use 'datalen' which is the length of the string from the sample instead of the real result string:
HideProcess/driver/irphandlers.c
Line 95 in 99d7a72
I followed the steps you posted here:
Here's a gif I just made performing it on build 17763:
Originally posted by @landhb in #10 (comment)
But I receive The handle is invalid error. What could be causing this? I have everything compiled correctly and have tried many different configurations.
Thanks for uploading this mate, I was wondering where do you obtain the loader irp code 0x815 from , driver compiles perfect though
Hi,
I have a strange problem, when I try to use loader I get the following error:
C:\Users\Rahimi\Desktop>Loader.exe "test.exe"
Basic DKOM Rootkit to Hide a Process
Usage : loader.exe [process name]
Author: Bradley Landherr
[+] Discovered PID of process test.exe: 4792
[*] Grabbing driver device handle...
[*] Loading driver.
[-] Error loading driver: The system cannot find the path specified.
[-] Error creating handle: The system cannot find the path specified.
I put the Rootkit.sys
and loader.exe
in desktop and here is some part of my loader code:
#define SERVICE "Rootkit"
#define DEVICE "\\\\.\\Rootkit"
#define DRIVER "c:\\\\Users\\Masoud\\Desktop\\Rootkit.sys"
//#define DRIVER "c:\\\\Users\\IEUser\\Desktop\\Rootkit.sys"
//#define DRIVER "C:\\\\WINDOWS\\Rootkit.sys"
It seems that loader cannot find the driver, but don't know why.
Thanks.
Hi @landhb, i compiled the driver and the loader. Copied Rootkit.sys
to C:\Windows\System32\drivers\
In the loader.c
file i got #define DRIVER "C:\\Windows\\System32\\drivers\\Rootkit.sys"
when i compile.
When i try to hide a process this is the STDOUT i get:
C:\Windows>dkom.exe Ditto_deleted.exe
Basic DKOM Rootkit to Hide a Process
Usage : loader.exe [process name]
Author: Bradley Landherr
[+] Discovered PID of process Ditto_deleted.exe: 1208
[*] Grabbing driver device handle...
[*] Loading driver.
[-] Error loading driver: The system cannot find the path specified.
LALA: 3
[-] Error creating handle: The system cannot find the path specified.
Ignore LALA: 3
:D I think the error happens at StartService(svcHandle, 0, NULL) == 0
it is like the loader cannot find the driver
any ideas?
OFF: on win 10 ver 1703 (rs2) build 15063 enterprise it only works for you about ~30minutes before BSOD?
I built this project under win10 and vs2015, but the setting's target platform only win10. I want to run it under win7 x86.
So I want to know, which VERSION OF Visual Studio you use? And which platform that you use VS?
Thanks!!!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.