landhb / HideProcess

A basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager
646 stars 114 forks source link

Freeze/Bluescreen on windows 10 x32 build 16299 #7

Open Mecanik opened 6 years ago

Mecanik commented 6 years ago

As the title says, I have been testing this and after 2 minutes of hiding your process the system just freezes.

Is it because of this windows build maybe ?

Compiling and running the driver was very easy, it worked like a charm.

landhb commented 6 years ago

@Mecanik, because this project doesn’t bypass PatchGuard the blue screen will occur on any x64 windows build newer than Windows XP SP1.

“In x64 editions of Windows, Microsoft began to enforce restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a bug check and shut down the system,[5][7] with a blue screen and/or reboot.”

You can read more about PatchGuard here: https://en.m.wikipedia.org/wiki/Kernel_Patch_Protection

There are some open source bypasses for PatchGuard here on Github, but they won’t work on all versions or all service packs. It’s basically a cat and mouse game between Reverse engineers and Microsoft.

landhb commented 6 years ago

@Mecanik Just noticed you said x32. My fault!

Let me see if I can find that build and spin up a VM over the weekend.

Do you have any other information on the box? Any 3rd party Anti Virus products?

Mecanik commented 6 years ago

@landhb Well I tried both scenario with antivirus and without because I really needed this. Does not matter what I tried, still BSOD.

I am running Hyper-V, if that make any difference ?