[help] Having troubles getting it to work

landhb / HideProcess

A basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager

646 stars 114 forks source link

[help] Having troubles getting it to work #5

Open aegyed91 opened 6 years ago

aegyed91 commented 6 years ago

Hi @landhb, i compiled the driver and the loader. Copied Rootkit.sys to C:\Windows\System32\drivers\

In the loader.c file i got #define DRIVER "C:\\Windows\\System32\\drivers\\Rootkit.sys" when i compile.

When i try to hide a process this is the STDOUT i get:

C:\Windows>dkom.exe Ditto_deleted.exe

 Basic DKOM Rootkit to Hide a Process
 Usage : loader.exe [process name]
 Author: Bradley Landherr

[+] Discovered PID of process Ditto_deleted.exe: 1208
[*] Grabbing driver device handle...
[*] Loading driver.
[-] Error loading driver: The system cannot find the path specified.

LALA: 3
[-] Error creating handle: The system cannot find the path specified.

Ignore LALA: 3 :D I think the error happens at StartService(svcHandle, 0, NULL) == 0 it is like the loader cannot find the driver

any ideas?

OFF: on win 10 ver 1703 (rs2) build 15063 enterprise it only works for you about ~30minutes before BSOD?

ghost commented 6 years ago

This is the error I encountered, any solution?

 C:\Windows>dkom.exe cmd.exe

  Basic DKOM Rootkit to Hide a Process
  Usage : loader.exe [process name]
  Author: Bradley Landherr

 [+] Discovered PID of process cmd.exe: 1740
 [*] Grabbing driver device handle...
 [*] Loading driver.
 [-] Error loading driver: This driver has been blocked from loading

 [-] Error creating handle: This driver has been blocked from loading

Thanks!

EDIT: problem fixed, just need to compile a x64 driver

jodimary commented 6 years ago

I am also getting: [-] Error loading Driver: The system cannot find the path specified. [-] Error creating handle: The system cannot find the path specified.

Any help is greatly appreciated, Thanks for your work!

landhb commented 6 years ago

@jodimary Did you also build the driver and place it in the path defined at:

https://github.com/landhb/HideProcess/blob/master/loader/loader.c#L8

You can change that define statement to point to wherever your .sys file is.

jodimary commented 6 years ago

Hi Bradley, Thanks so much for replying. I tried it again and it was successful so it must have been something I did incorrectly through the process.

Just want to say thank you, as I have been looking for exactly this, that works on Windows 10 for a while, as my university dissertation is regarding memory forensics.

Thank you!!

landhb commented 6 years ago

No problem! Hope it helps, good luck!

h2dajeffers commented 6 years ago

Using a win8.1 VM, will this code work in this OS?