Hi,
This is a share stripped from a project I was working on, the goal was to deploy a driver that would remove a process/thread object from all handle tables.
This was nothing more than a pseudo project to see if it was possible to remove a process from all handle tables whilst retaining stability and compatibility, operating system won :)
The code provided is correct but not complete, it will require some work to become functional. The offsets are correct but the implementation is left to you and fixing various compatibility issues, for testing I used an upper callback (ObRegisterCallbacks) to execute hiding on a protected process.
Methods Covered:
PsActiveProcessList - EPROCESS -> ActiveProcessLinks
SessionProcessList - EPROCESS -> SessionProcessLinks
Process Handle Table - EPROCESS -> ObjectTable
PspCidTable/ExDestroyHandle - EPROCESS -> ThreadListHead / _ETHREAD -> ThreadListEntry / _ETHREAD -> Cid.UniqueThread
Credits:
Rohitab (Information)
KernelMode (Information)
BlackBone (Source Code)
PowerTools (x64)
PCHunter (x64)
GMER (x64)
HookShark (x64)
P.S. This has only been shared to Rohitab/KernelMode and if you post this else I would prefer you to retain a link back to here or atleast the credits.
This is a share stripped from a project I was working on, the goal was to deploy a driver that would remove a process/thread object from all handle tables.
This was nothing more than a pseudo project to see if it was possible to remove a process from all handle tables whilst retaining stability and compatibility, operating system won :)
The code provided is correct but not complete, it will require some work to become functional. The offsets are correct but the implementation is left to you and fixing various compatibility issues, for testing I used an upper callback (ObRegisterCallbacks) to execute hiding on a protected process.
Methods Covered:
PsActiveProcessList - EPROCESS -> ActiveProcessLinks
SessionProcessList - EPROCESS -> SessionProcessLinks
Process Handle Table - EPROCESS -> ObjectTable
PspCidTable/ExDestroyHandle - EPROCESS -> ThreadListHead / _ETHREAD -> ThreadListEntry / _ETHREAD -> Cid.UniqueThread
Credits:
Rohitab (Information)
KernelMode (Information)
BlackBone (Source Code)
PowerTools (x64)
PCHunter (x64)
GMER (x64)
HookShark (x64)
P.S. This has only been shared to Rohitab/KernelMode and if you post this else I would prefer you to retain a link back to here or atleast the credits.
Attachments
Source
(4.87 KiB) Downloaded 66 times
(4.87 KiB) Downloaded 66 times
