HideProcess icon indicating copy to clipboard operation
HideProcess copied to clipboard

Published 20 hours ago verified publisher icon landhb

[help] Having troubles getting it to work

Open aegyed91 opened this issue 6 years ago • 6 comments

Hi @landhb, i compiled the driver and the loader. Copied Rootkit.sys to C:\Windows\System32\drivers\

In the loader.c file i got #define DRIVER "C:\\Windows\\System32\\drivers\\Rootkit.sys" when i compile.

When i try to hide a process this is the STDOUT i get:

C:\Windows>dkom.exe Ditto_deleted.exe

 Basic DKOM Rootkit to Hide a Process
 Usage : loader.exe [process name]
 Author: Bradley Landherr


[+] Discovered PID of process Ditto_deleted.exe: 1208
[*] Grabbing driver device handle...
[*] Loading driver.
[-] Error loading driver: The system cannot find the path specified.

LALA: 3
[-] Error creating handle: The system cannot find the path specified.

Ignore LALA: 3 :D I think the error happens at StartService(svcHandle, 0, NULL) == 0 it is like the loader cannot find the driver

any ideas?

OFF: on win 10 ver 1703 (rs2) build 15063 enterprise it only works for you about ~30minutes before BSOD?

aegyed91 avatar Dec 05 '17 22:12 aegyed91

This is the error I encountered, any solution?

 C:\Windows>dkom.exe cmd.exe
 
  Basic DKOM Rootkit to Hide a Process
  Usage : loader.exe [process name]
  Author: Bradley Landherr
 
 
 [+] Discovered PID of process cmd.exe: 1740
 [*] Grabbing driver device handle...
 [*] Loading driver.
 [-] Error loading driver: This driver has been blocked from loading
 
 [-] Error creating handle: This driver has been blocked from loading

Thanks!

EDIT: problem fixed, just need to compile a x64 driver

ghost avatar Dec 18 '17 23:12 ghost

I am also getting: [-] Error loading Driver: The system cannot find the path specified. [-] Error creating handle: The system cannot find the path specified.

Any help is greatly appreciated, Thanks for your work!

jodimary avatar Feb 28 '18 22:02 jodimary

@jodimary Did you also build the driver and place it in the path defined at:

https://github.com/landhb/HideProcess/blob/master/loader/loader.c#L8

You can change that define statement to point to wherever your .sys file is.

landhb avatar Feb 28 '18 23:02 landhb

Hi Bradley, Thanks so much for replying. I tried it again and it was successful so it must have been something I did incorrectly through the process.

Just want to say thank you, as I have been looking for exactly this, that works on Windows 10 for a while, as my university dissertation is regarding memory forensics.

Thank you!!

jodimary avatar Mar 01 '18 19:03 jodimary

No problem! Hope it helps, good luck!

landhb avatar Mar 04 '18 19:03 landhb

Using a win8.1 VM, will this code work in this OS?

h2dajeffers avatar Jul 11 '18 12:07 h2dajeffers