flat assembler
Message board for the users of flat assembler.

Index > Heap > the win pe file format, modify this value, program is hidden

Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 9000
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i found a trick last time, but i couldn't remember it now, i plan to use it for hiding cpumining,

what is the address to modify that makes a win pe executable stop displaying its GUI, the program is still shown in taskmgr,
Post 22 Dec 2013, 02:48
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
lol. If you mean nCmdShow from the WinMain function or WNDCLASS or STARTUPINFO or WinExec or ShellExecute then you failed big time. That is program dependent, not all EXEs will respond to that.

Also, you can't hide the whole process by simply hiding its GUI. You need to hook process traversing functions. Or you can go ring0 rootkit way and mess with object enumeration procedures.

As far as I have known the PE spec, there's no field that hides a process.

Just inject your process into a legit process and hide there.
Post 22 Dec 2013, 03:36
View user's profile Send private message Reply with quote
matefkr



Joined: 02 Sep 2007
Posts: 1291
Location: Ukraine, Beregovo
matefkr
i think it is pretty sraightforward, u would first go on about exploring the address range and memory thingies for each programs, then u may look at possible program states in this response dependent and multiprocess system, see wether u can do certain things after or before state changes by preventing interrupts where possible. certain thigns like writing memory of other programs and shit like this, with methods of sorts (there is some sorta memory rea where the current process of certain programs are stored, maybe it is on the heap, or whatever.. so there maybe problems with it.

then if u dont find ways around here, then u can look for functions allowed by windwos for writing other process memories (there are some at least), then u can hook these functions, so first these functions will check wether write is permited or not, based on your own desire, and then u can use this to write into other things along with a disassembler, u write into a return address of sort sometimes very unoften, and u put some progrem u need right there.
or into explorer. exe more specifically, mabe its always running a little bit even with full screen applications.
Post 22 Dec 2013, 08:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17467
Location: In your JS exploiting you and your system
revolution
Plenty of interesting suggestions here, but what is lacking is the thread analysis.

sleepsleep: What is the threat you are trying to solve? If it is just a simple thing to prevent a different user of the same computer from interfering with it then such a thing is easy. But if it is to hide it from the NSA's top security guru then your job is going to be much harder. And without knowing what you are trying to do then any suggestion could be overkill or insufficient depending upon the circumstances.
Post 22 Dec 2013, 08:39
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
sleepsleep,

Your description of the problem is too vague. Do you want to hide only GUI? Toggle WS_VISIBLE. Process hiding requires much more.
Post 22 Dec 2013, 09:29
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9000
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
ok, sorry for being vague,

i was thinking to plant, some litecoin cpuminer at the background in windows OS,
under windows xp, (if i remember correctly) there is a address in PE file that if you change it, it would render the application run but not visible, maybe doesn't work in windows 7 and 8,

the WS_VISIBLE seems nice choice too,

maybe run it using svchost.exe, don't know if that is possible or not,

then if my miner could provide some sort of extra service, eg, enable remote help to people, i guess, that is win-win in some sense, of course, i will inform them, if they let me plant, then service charge discount is given, if not, then no discount, something like that,

cause it would be ugly if using your pc and you see a DOS prompt visible at the back running some hash...
Post 22 Dec 2013, 13:50
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
sleepsleep,

Try some utility that allows to inspect/change window style, like zero Dump. That way you can decide would WS_VISIBLE be sufficient or not.
Post 22 Dec 2013, 14:11
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9000
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
thanks baldr, =)
Post 22 Dec 2013, 14:17
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17467
Location: In your JS exploiting you and your system
revolution
There was a lot of backlash when one of the gaming companies put a bitcoin miner in their client code and people got upset with the extra heat, power and wear and tear generated.

I think it is wrong to use other people's computers to make money for yourself unless your user is 100% aware that you are making money from their machine.
Post 22 Dec 2013, 14:39
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9000
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
yeah, in a moral sense, i agree with your words, revolution,

but who knows, one day linux might put miner too, for a open source program to generate some fund to fund itself back? it is a win win, from my perspective,

if this cryptocoin gaining more momentum, maybe motherboard maker will start put a ASIC scrypt based chip on board, and let user mine coins, i guess it just matter of time such motherboard exists,

i agree users must be let know about the mining,
Post 22 Dec 2013, 14:48
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Post 22 Dec 2013, 16:39
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.