EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-05-2012, 14:05
31337guru
 
Posts: n/a
Process hiding with SSDT modification in x64 Win7

I'm looking for a way to hide a process with SSDT in x64 Windows 7. I successfully find SSDT location and changed the value (4byte), which is RVA for a specific system function. If you want to know the details, let me know it. I'll add more information.

However, I failed to point to the hooked function from the changed SSDT because of the different base address, which is added with RVA value above.

Does anybody know where to go? Thank you in advance.
Reply With Quote
  #2  
Old 04-26-2012, 07:44
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0xfffffffe
Posts: 134
Rept. Given: 39
Rept. Rcvd 58 Times in 26 Posts
Thanks Given: 19
Thanks Rcvd at 82 Times in 19 Posts
Fyyre Reputation: 58
I would not both with SSDT in x64 Windows.. is much easier to just remove process from linked list and/or handle table.

-Fyyre
__________________
-Fyyre

--
http://fyyre.ru
Reply With Quote
The Following User Gave Reputation+1 to Fyyre For This Useful Post:
  #3  
Old 05-01-2012, 07:07
c0D
 
Posts: n/a
use detouring or patch some emtpy space to write a delegator to your own method
Reply With Quote
  #4  
Old 05-03-2012, 18:16
31337guru
 
Posts: n/a
Dear fyyre. I found out your hidecon example. Is it implemented by "just remove process from linked list and/or handle table"?
I still want to know a solution to locate the hooked function to the segment of SSDT table.
Anybody to help me?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hiding a process securedsolutions x64 OS 5 08-29-2013 17:59
SSDT in Windows Vista/7 x86 _MAX_ General Discussion 3 08-30-2012 02:56
Best rootkit for win7? suddenLy General Discussion 10 03-25-2011 08:52


All times are GMT +8. The time now is 04:41.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX