A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #14275  by MindfreaK
 Mon Jun 25, 2012 5:59 pm
The tittle contains everything. It is a sample NtQuerySystemInformation Hook that is working with x64.
I got some trouble with it when it is the first process in the list so it has some bugs.
The "HookEngine" is bad but works.
( IDE: VS2008+x64CompilerTools )
Attachments
src
(2.75 MiB) Downloaded 135 times
 #14522  by MindfreaK
 Sun Jul 08, 2012 5:43 pm
It runs taskmgr.exe.
After that it does an injection into taskmgr.exe by injecting via 'full pe injection', this writes the whole opcode of the process in taskmgr.exe and creates a thread.
This thread does an hook on NtQuerySystemInformation which will hide everything in processlist that name contain '$sys$' without '' . But there are some bugs (; it doesn't hide everything properly . you need to run the file you want to hide before taskmanager is ran to get it hidden , because my code doesn't hide the first or last (don't actually know right now) process in the processinformation array. Thanks for reply.