VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Some stealth idea's

Ready Rangers Liberation Front [6]
June 2005

[Back to index] [Comments]


In this article I want to give you some thoughts i had. It's somethin like stealth, but nothin to do like macro stealth or EPO ;). It's about how to hide the own process, how to hide a entry in the registry and how to store files that the user (the dumb one) can't see it. It's all theoretical, I have all source's working here, but I want that you think by yourself ;). It's all possible... So let's go, hide our "bad" program.

Process stealth

In Win9x we had some sweet API called "RegisterServiceProcess". Register our malware as service and user can't see our process in the Task Manager. Too bad, that times are over... now the user at WinXP can see all, and I mean all, processes. Hmm, how to avoid this? First idea is to disable the taskmgr, it's easy to do, with the registry, check it out:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
     Valuename: Debugger
     Value    : some text...

User will press CTRL-ALT-DEL, and nothin happend's, because the execution of taskmgr.exe will be redirected to some stupid text. Means, taskmgr.exe can't be executed. Other way is this:

     Valuename: DisableTaskMgr
     Value    : 1

When user press CTRL-ALT-DEL he will see a error message, that administrator disables the Task Manager. Hmm, too bad that user is logged on as admin, and he knows that somethin goes strange.

We have to find a way how user can start taskmgr but our process is not listed. And here comes my idea ;).

Our program has to watch every time it run's the processes. If taskmgr.exe get's executed our program will exit it's process. But how to restart our prog?! With a forgotten DOS command: AT or in WinXP SCHTASKS. That are the shell task managers. Let's see a little graphic how our program can work:

   | START | ;creating a thread
       |                                           |
    Normal Program                                 Stealth Routine
    ==============                                 ===============
    - read wich step is next (reg or temp file)    - watch processes
    - goto this step                               - is taskmgr.exe active?
    - make the step                                - if no goto watch processes
    - save that step is executed                   - taskmgr.exe is executed
    - execute next step                            - making a task to execute our
    - save ...                                       program in TIME + 10min
    - . . .                                        - exit program
    - exit program

I hope that graphic don't look too weird for you. I will explain again: The program build two threads, once is for normal activity. Let's say it's a mail worm. It does first find some mail addy's. Save that it already found some addy's, and try to do the next step. Other thread is watching the processes. Taskmgr.exe get's executed, means user pressed CTRL-ALT-DEL... Our program register a new task via "AT" or "SCHTASKS" let's say 10 minutes after taskmgr.exe get's started. After register the task our worm exit it's own process. After 10 minutes the worm execute's via the task manager and do the same thing again. Create two thread's... But the worm read's from registry or a temporary file what it already has finished. The worm see that it already have collected mail addresses. So it don't do it again, and make, let's say, it's Base64 encoding, after this step finished it save it again.

It's important that your worm know's what to do next, it's also important to register a task, if you miss this your worm will terminate itself and get's started at next windows startup (if it have auto startup).

So, have fun with this idea, let's fight against newschool task manager with a oldschool DOS command ;). Also don't forget, in all Windows version's the command is called "AT" but in WinXP it's called "SCHTATSKS". As help here are some related links:

Registry stealth

This is in beginning the same as the process stealth methode. Just build two threads, one making all "normal" things, and the other is watching the processes. Is the regedit.exe executed the prog remove it's autostart entry. Then you only have to wait until regedit.exe is terminated, and remake the autostart registry entry. How easy can it be?! But I like to make some graphic, so here we go:

   | START | ;creating a thread
       |                                           |
    Normal Program                                 Stealth Routine
    ==============                                 ===============
    - do normal things...
    - exit program                                 - is regedit.exe active?
                                                   - if no goto watch processes
                                                   - regedit.exe is executed
                                                   - remove our autostart entry
                                                   - is regedit still active?
                                                   - if not remake our entry
                                                   - goto first step

You see, this is simple but effective. But don't forget, I only talk about the Windows utilities. If the user have another tool to watch at the reg this all dont work and he/she see our autostart entry...

File stealth


Hehe, but user will see that files if he want and if he is not the biggest dumb...

So, let's use a kewl feature called "NTFS Streams". Only worx on NTFS formated hard drives. So don't try it on FAT32 shit, it will not work. Stream means that one program can have 1 ore more streams. Like this: we have a program that shows a simple message box. Copy it like this:

        copy C:\OurProg.exe C:\Windows\Notepad.exe:RunIt

Now you can delete OurProg.exe, and look at the Windows directory. You can't see anything (you can with the right tools) because OurProg.exe is now the first stream of the mainstream Notepad.exe. if you execute Notepad.exe you will see the Notepad. But if you execute Notepad.exe:RunIt you will see our simple message box ;). How cooool....

So you can hide as example your worm behind Notepad.exe. Keep in mind that you use this structure:


Then just add some autostart entry to the registry:


And you are done. That's a simple but kewl methode to hide files from user. Here are a related link that would be useful to you:


Hope you get some inspiration from this article, sorry for my bad english... If you like or hate this article gimme some feedback to [email protected] or visit my site and drop a guestbook entry at ...

Thanks for reading, see you next time!

DiA/rrlf - 02.06.2005
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka