search

landhb / HideProcess

A basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager
646 stars 114 forks source link

64 bit #1

Closed PQFitz closed 7 years ago

PQFitz commented 7 years ago

Hi Bro, Pleased to see you! 64 bit operating system Add driver signature, can you use ? Thank you!

landhb commented 7 years ago

Hello, currently it won't work on a 64 bit platform, because I implemented the prototype with architecture specific pointers and data types like PUINT32 and DWORD32 (noob move on my part).

I'll try to update it to work on both architectures soon. In the meantime you may be able to get it to work by replacing some of the DWORD32 data types with DWORD_PTR, which will extend to 64bit.

Aside from the possible pointer truncation, you'll also need to build and sign your driver using visual studio. You can then add your dev certs to your test VM with:

certmgr.exe -add MyCert.cer -s -r localMachine trustedpublisher
certmgr.exe -add MyCert.cer -s -r localMachine root

More information about driver signing:

https://technet.microsoft.com/en-us/library/cc732061(v=ws.10).aspx

I'll see if I can get my hands on a 64bit Win 7 VM, and see what I can do.

PQFitz commented 7 years ago

Thank you for your guidance. I'm a programming rookie. I expect x64 to come. ^ _ ^

landhb commented 7 years ago

@PQFitz I finally got around to making it compatible with 64 bit architecture. Hope that helps!