[ C ] Hiding processes by the DKOM method

DKOM process hiding

Right so this particular post assumes that you’ve got some knowledge as to what DKOM (Direct Kernel Object Manipulation) is and the specifics of the _KPROCESS structure; but for a quick run down the eprocess list is a linked list which contains all relevant information pertaining to a process including Process ID, process name and other important substructures. I highly recommend having a look both through MSDN and your copy of nfis.h for the declarations.
I have updated the post with a list of the new EPROCESS offsets.

Well anyway, you can view the code below:
[ C – Source ] DKOM Hiding (Windows XP).
[ C – Source ] DKOM Hiding (Windows 7).

New EPROCESS offsets for windows 7

Enjoy šŸ˜‰

Advertisements

~ by Rhys Mossom on October 31, 2007.

11 Responses to “[ C ] Hiding processes by the DKOM method”

  1. what does DKOM stand for?

  2. Re-read the post šŸ˜›

  3. What header is this in? When I compile it gives me undeclared identifier, etc.

  4. Its a driver, not an exe. You have to use the DDK (Driver-Development-Kit) to compile it. Its easily available on the Microsoft site.

  5. Hello i try to compile your code but winddk throw me a few errors. Should i include sth more or olny “ntddk.h” ?

  6. Hi, that code dont work anymore? cuz i compile it, but i get blue screen error.. maybe i need another ntfis

  7. What operating system are you using?
    There is a good possibility that this code IS out of date by now.
    I did write it three years ago.

  8. Reblogged this on .

  9. upload file please

  10. I dont think I have the original file anymore.

  11. Your link for windows 7 is not valid. It gives page not found error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: