EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-15-2013, 22:16
typedef typedef is offline
Friend
 
Join Date: Oct 2012
Posts: 37
Rept. Given: 26
Rept. Rcvd 6 Times in 3 Posts
Thanks Given: 9
Thanks Rcvd at 1 Time in 1 Post
typedef Reputation: 6
Hiding processes using FROST (64bit)

Just thought I'd post this, in case it hadn't been posted before.

Using an gaming anti-cheat application called FROST, it is possible to hide arbitrary processes on a 64bit system, using their signed 64bit driver. I'm not sure if the drivers certificate has been revoked or not, but it worked a few months ago...

Here's the original forum post:

http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fexelab.ru%2Ff%2Findex.php%3Faction%3Dvthread%26forum%3D1%26topic%3D20263&act=url

The drivers can be downloaded from:

http://www.sendspace.com/file/cgkw53

Sorry if this has been posted before - delete if it has been.
Reply With Quote
  #2  
Old 03-18-2013, 12:50
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
all you need is to form proper DeviceIoControl buffer
Reply With Quote
  #3  
Old 07-18-2013, 03:40
securedsolutions
 
Posts: n/a
This will not work on Windows 8 x64
Reply With Quote
The Following User Gave Reputation+1 to For This Useful Post:
Av0id (07-18-2013)
  #4  
Old 02-06-2014, 06:35
jump jump is offline
VIP
 
Join Date: Jan 2009
Posts: 274
Rept. Given: 83
Rept. Rcvd 48 Times in 24 Posts
Thanks Given: 9
Thanks Rcvd at 10 Times in 5 Posts
jump Reputation: 49
Could you post again working link or attach it locally. Thanks!

--
Jump
Reply With Quote
  #5  
Old 02-16-2014, 10:08
BAHEK BAHEK is offline
Family
 
Join Date: Dec 2012
Posts: 39
Rept. Given: 32
Rept. Rcvd 86 Times in 27 Posts
Thanks Given: 18
Thanks Rcvd at 61 Times in 13 Posts
BAHEK Reputation: 86
Quote:
Originally Posted by jump View Post
Could you post again working link or attach it locally. Thanks!

--
Jump
frost.rar
|---frost_32.sys
|---frost_64.sys
|---hidden_run.exe - about
`---hidden_run_src
Attached Files
File Type: rar frost.rar (1.17 MB, 102 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to BAHEK For This Useful Post:
Av0id (02-17-2014)
  #6  
Old 02-18-2014, 07:10
The Old Pirate The Old Pirate is offline
Family
 
Join Date: Sep 2005
Posts: 120
Rept. Given: 54
Rept. Rcvd 73 Times in 22 Posts
Thanks Given: 8
Thanks Rcvd at 13 Times in 6 Posts
The Old Pirate Reputation: 73
Doesn't work on Windows 7 x64 as well, does it?
__________________

http://youtu.be/H0QfVDebLFg
Reply With Quote
The Following User Gave Reputation+1 to The Old Pirate For This Useful Post:
  #7  
Old 05-22-2014, 23:21
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 201
Rept. Given: 139
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 7 Times in 3 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
the sign is old thats why it wont work
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to inject my dll into all user processes [Win]? bearek General Discussion 17 03-08-2005 02:12
LordPE limited to 60 processes? tbone General Discussion 0 07-01-2004 06:35
IDA debugging sub processes Bram Kate General Discussion 2 05-03-2004 18:28


All times are GMT +8. The time now is 07:49.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX