Exetools

Exetools (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   Process hiding with SSDT modification in x64 Win7 (https://forum.exetools.com/showthread.php?t=14185)

31337guru 04-05-2012 14:05

Process hiding with SSDT modification in x64 Win7
 
I'm looking for a way to hide a process with SSDT in x64 Windows 7. I successfully find SSDT location and changed the value (4byte), which is RVA for a specific system function. If you want to know the details, let me know it. I'll add more information.

However, I failed to point to the hooked function from the changed SSDT because of the different base address, which is added with RVA value above.

Does anybody know where to go? Thank you in advance.

Fyyre 04-26-2012 07:44

I would not both with SSDT in x64 Windows.. is much easier to just remove process from linked list and/or handle table.

-Fyyre

c0D€ 05-01-2012 07:07

use detouring or patch some emtpy space to write a delegator to your own method

31337guru 05-03-2012 18:16

Dear fyyre. I found out your hidecon example. Is it implemented by "just remove process from linked list and/or handle table"?
I still want to know a solution to locate the hooked function to the segment of SSDT table.
Anybody to help me?


All times are GMT +8. The time now is 21:52.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX