VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Previous] [Index] [Next]

Process Hide

Author: 90210

The engine was released in 29A#7 magazine

Author's notes

"Phide" (process hide) is the engine for the low level process manipulating on kernel level, designed to be used by a userland process. It supports only nt-based systems (NT4, 2k, XP, 2k3). Process management is done through the playing with EPROCESS structures. Thread that calls engine MUST have read/write access to \Device\PhysicalMemory, otherwise engine will fail.


The engine main features are:

Process hiding technique is the same, as in the 'fu' rootkit, but my goal was to make a small engine callable from r3. For now it's the only tool, which hides processes from klister (i have version 0.3 of this brilliant software).

Engine code doesn't rely on the hardcoded ntoskrnl offsets, that may vary from one servicepack to another. It only relays on the offsets of the needed EPROCESS and EHTREADS fields, because these structs are different in 4 types of nt-based oses.


phide.zip29541PHIDE 1.0Jan 2004MD5 sum ae4d3e4081b67680aaafc5f6ce077026

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka