|
#1
|
|||
|
|||
Process hiding with SSDT modification in x64 Win7
I'm looking for a way to hide a process with SSDT in x64 Windows 7. I successfully find SSDT location and changed the value (4byte), which is RVA for a specific system function. If you want to know the details, let me know it. I'll add more information.
However, I failed to point to the hooked function from the changed SSDT because of the different base address, which is added with RVA value above. Does anybody know where to go? Thank you in advance. |
#2
|
||||
|
||||
I would not both with SSDT in x64 Windows.. is much easier to just remove process from linked list and/or handle table.
-Fyyre
__________________
Best Wishes, Fyyre -- https://github.com/Fyyre |
The Following User Gave Reputation+1 to Fyyre For This Useful Post: | ||
#3
|
|||
|
|||
use detouring or patch some emtpy space to write a delegator to your own method
|
#4
|
|||
|
|||
Dear fyyre. I found out your hidecon example. Is it implemented by "just remove process from linked list and/or handle table"?
I still want to know a solution to locate the hooked function to the segment of SSDT table. Anybody to help me? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hiding a process | securedsolutions | x64 OS | 5 | 08-29-2013 17:59 |
SSDT in Windows Vista/7 x86 | _MAX_ | General Discussion | 3 | 08-30-2012 02:56 |
Best rootkit for win7? | suddenLy | General Discussion | 10 | 03-25-2011 08:52 |