Process-hidden methods as well as analysis comparisons and implementation links

Typical process hiding technology
1 process hiding technology based on system service
In the W I N 9X Series operating system, no system service processes can be seen in the system process list, so it is only possible to register the specified process as a system service to make the process invisible from the list of system processes

In the Win9x under the RegisterServiceProcess function to hide the process, NT schema under the Win2000 XP and so on what can not use this method.

2 process hiding technology based on API Hooks
API Hook refers to the use of special programmatic means to intercept the Windows system call API functions, and discard or replace. Through the API
Hook programming method, intercept the system to traverse the process function and replace it, can realize the hiding of any process

3 DLL-based process hiding technology: Remote Injection DLL technology
DLL files do not have program logic, cannot run independently, are loaded and called by the process, so DLL files do not appear in the process list. If a program exists in the form of a DLL, a
The process of the program can be hidden by a process that has already been loaded. In a Windows system, each process has its own private address space, and the process cannot create a memory pointer that belongs to another process
。 and the remote threading technology is through special kernel programming means, breaking the process boundary to access the address space of another process, in order to achieve the purpose of hiding itself.
The remote thread injection DLL technique refers to the memory space of the process that is created by a method that creates a remote thread in a process, and then loads the startup DLL program in its memory space.

4 process hiding technology based on remote thread injection code
This approach, like the way a remote thread injects a DLL, is to share the memory space of the process by creating a remote thread in a process. The difference is that the remote thread injects code through the direct
Copy the program code into the memory space of a process to achieve the purpose of injection. Because the program code exists in memory, not only cannot be detected in the process list, even the memory modules that are loaded by the traversal process cannot
Find traces of hidden programs.

5 rootkit mode
Intel CPUs have 4 levels of privilege: Ring 0, Ring 1, Ring 2, Ring 3. Windows uses only the ring 0 and ring 32 levels.
The operating system is divided into the core and the shell two parts: the kernel runs at the RING0 level, often called the core State (or kernel state), for the implementation of the lowest management function, in the kernel state
Access to system data and hardware, including processor scheduling, memory management, device management, file management, etc. the enclosure runs at Ring Level 3, often called the user state,
Is the interface that exists based on the interaction functionality provided by the kernel, which is responsible for instruction delivery and interpretation. Typically, the user-state application does not have permission to access the kernel mentality of the address space.
A Rootkit is a tool that attackers use to hide their traces and retain root access, which allows an attacker to maintain access to the target machine to enforce control over the target computer [1]. From a Rootkit-run environment, you can
It is divided into user-level rootkits and kernel-level rootkits.
In the user state, the application calls the Win32 API functions provided by the Wi N32 subsystem dynamic library (including Kernel32.dll, User32.dll, Gdi32.dll, etc.),
They are interfaces that Windows provides to applications and operating systems, running at the ring Level 3. A user-level Rootkit is usually the ability to block the Win32 API, establish a system hook, insert its own code, and thus control the detection tool's traversal call to a process or service, enabling hidden functionality.
Kernel-level R o T k it refers to the use of driver technology or other related technologies to enter the Windows operating system kernel, through tampering with the data structures or objects associated with the Windows operating system kernel for hidden functionality.
Because the rootkit runs at the Ring 0 level, and even into the kernel space, the kernel instructions can be modified, but user-level detection does not find that the kernel operation is blocked
Cut.
Here are two ways to implement process concealment using Rootkit techniques. It is easy to detect when the book is started. Obviously, to enhance the concealment of the process, the key is to enhance the concealment of the loader file.

<1> SSDT Hooks

Refer to the links at the bottom of this article

<2> DKOM (direct Kernel object manipulation, directly kernel object operation)

Use the Dkom method for process shadowing. In the Windows operating system, a process object eprocess is created for each active process, creating a thread object Ethread for each thread in the process.

In the EPROCESS process structure there is a doubly linked list list_entry,list_entry structure with Flink and blink two member pointers, respectively, pointing to the current process of the precursor process and the successor process.

If you want to hide the current process, simply modify the blink of the current process to the blink of the current process, and then modify the Flink of the current process's successor process to the flink of the current process.

Process hiding method concealment robustness Implementation difficulty loading mode process existence mode operating system
Registration system service Poor very good simple simple exists in system service Win9x series
API HOOK is good very good is more difficult simple still with the process exists win NT and above
Registry injection DLLs are generally very poor simple and simple in the form of DLLs exist in all loaded User32.dll process Winnt and above
Rundll32 loading DLL is generally good and simple in the form of DLLs in the Rundll32.exe process Winnt and above
Remote thread injection DLLs are better and more difficult to be complex in the form of DLLs in any process, including system processes Winnt and above
Remote thread Injection code well, it's very, very difficult. In the memory space of any process, including system processes Winnt and above

Process-hidden methods as well as analysis comparisons and implementation links