Athlon
January 15th, 2006, 11:02 AM
I need to hide process from SoftIce - possible?
All variants which I have found can not do it. That on this cause gurus think?
All variants which I have found can not do it. That on this cause gurus think?
Click to See Complete Forum and Search --> : Hiding process from SoftIce
sreehari
January 16th, 2006, 05:18 AM
hi .....
this workis for Win 95.... but for the other OS not sure :-D
hope this code snippet helps ya....
Function call
RegisterService(1); //hide the thing!!!
Put this in your header file
//Hide program (Makes it look like a process)
typedef DWORD __stdcall (*TRegis)(DWORD,DWORD);
int RegisterService(int); // hide
//--------------------------------------------------------------------------
-
int RegisterService(int Reg)
{
HINSTANCE hKrnl32;
//This is the location of the kernel32.dll file. It should default to
the
//windows\system directory.
LPCTSTR RspDllName="C:\\Windows\\System\\Kernel32.dll";
LPCTSTR RspName="RegisterServiceProcess";
DWORD Ret;
//Load the kernel32.dll file
hKrnl32 = LoadLibrary(RspDllName);
if (hKrnl32 != NULL)
{
TRegis RegisterServiceProcess = (TRegis) GetProcAddress(hKrnl32,
RspName);
if (RegisterServiceProcess !=NULL)
{
//When you register the process it will not show up in the
//ctrl+alt+del. When you unregister it, it will show up.
Ret = RegisterServiceProcess(NULL, Reg);
}
else
{
return NULL;
}
FreeLibrary(hKrnl32);
return Ret;
}
else
{
return NULL;
}
}
regards...
this workis for Win 95.... but for the other OS not sure :-D
hope this code snippet helps ya....
Function call
RegisterService(1); //hide the thing!!!
Put this in your header file
//Hide program (Makes it look like a process)
typedef DWORD __stdcall (*TRegis)(DWORD,DWORD);
int RegisterService(int); // hide
//--------------------------------------------------------------------------
-
int RegisterService(int Reg)
{
HINSTANCE hKrnl32;
//This is the location of the kernel32.dll file. It should default to
the
//windows\system directory.
LPCTSTR RspDllName="C:\\Windows\\System\\Kernel32.dll";
LPCTSTR RspName="RegisterServiceProcess";
DWORD Ret;
//Load the kernel32.dll file
hKrnl32 = LoadLibrary(RspDllName);
if (hKrnl32 != NULL)
{
TRegis RegisterServiceProcess = (TRegis) GetProcAddress(hKrnl32,
RspName);
if (RegisterServiceProcess !=NULL)
{
//When you register the process it will not show up in the
//ctrl+alt+del. When you unregister it, it will show up.
Ret = RegisterServiceProcess(NULL, Reg);
}
else
{
return NULL;
}
FreeLibrary(hKrnl32);
return Ret;
}
else
{
return NULL;
}
}
regards...
Xatrix
January 16th, 2006, 11:32 AM
I guess you could somehow hide it from being detected by SoftICE, but what about other debuggers where you explicitly launch a process right in the debugger IDE ? Like OllyDbg for instance. Also, inserting code to detect the presence of SoftICE is rather poinltess as well, because there is of course other plug-ins/tools to hide SoftICE from being detected :rolleyes:
I'm just giving then facts, and the facts state "You can run but you can't hide" ;)
I'm just giving then facts, and the facts state "You can run but you can't hide" ;)
codeguru.com
Copyright Internet.com Inc., All Rights Reserved.
Copyright Internet.com Inc., All Rights Reserved.