On Windows, how would one go about hiding procmon from another process? What techniques/terms would I be searching for?
Asked
Active
Viewed 1,548 times
2 Answers
3
You have to write a rootkit for this purpose. Look at this two.
https://github.com/landhb/HideProcess
https://www.codeproject.com/Articles/167583/Driver-to-Hide-Processes-and-Files-Second-Edition
EWD-0-
- 119
- 6
-
Wlc. You can also do patching. It depends on your case. – EWD-0- Oct 26 '17 at 14:56
-
Could you elaborate on patching? This is all new to me. – user737447 Oct 28 '17 at 06:45
-
Please explain for what you need to hide this particular process. Then I can give more details – EWD-0- Oct 28 '17 at 08:54
-
I believe I just need to hide the process name. Does 'patching' mean custom kernel with modified list process call? – user737447 Oct 29 '17 at 00:07
-
No. You've not explained the case in detail yet and without that information, it's' not possible to say which method is the best choice for you. – EWD-0- Oct 30 '17 at 10:49
0
If you are trying to hide Procmon from another process, and you control the environment, say in an analysis lab, it may be sufficient just to hook the victim processes methods for obtaining a process list and feed it an incomplete process list.
Another way to do it would be to hexedit the method that looks for procmon such that it always returns false.
The rootkit idea above works too, but it might be overkill depending on your situation.
MrSynAckSter
- 1,258
- 1
- 10
- 24
-
-
You need a hooking framework. https://www.frida.re/docs/functions/ works. Depending on your version of Windows, you may have to play with your settings for it to work. – MrSynAckSter Oct 30 '17 at 17:18