Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - phide_ex -untimate process hiding example
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

phide_ex -untimate process hiding example

 Post Reply Post Reply Page  123 6>
Author
Message
PE386 View Drop Down
Groupie
Groupie


Joined: 16 June 2006
Location: Zimbabwe
Status: Offline
Points: 49
Post Options Post Options   Thanks (0) Thanks(0)   Quote PE386 Quote  Post ReplyReply Direct Link To This Post Topic: phide_ex -untimate process hiding example
    Posted: 24 October 2006 at 4:47am
Think, so good antirootkits, as you think?
On motive RkDemo by EP_XOFF and MP_ART I have written similar rootkit, being continuation to their ideas.
He contains in itself hidden process and hidden driver.
This example creates the file c:\phide_ex.log and writes in it each 5 seconds line.
Results of the testing phide_ex with different antirootkits:

F-Secure BlackLight 2.2.1042.0 vs phide_ex - BYPASSED
DarkSpy 1.0.5.0 (normal and super mode) vs phide_ex - BYPASSED
DS105fix2beta vs phide_ex - BYPASSED
IceSword 1.18 vs phide_ex - BYPASSED
RkUnhooker 3.0.80.300 vs phide_ex - BYPASSED
UnHackMe 2.5.5.228 vs phide_ex - BYPASSED
bitdefender_antirootkit-BETA1 vs phide_ex - BYPASSED
GMER 1.0.11.11390 vs phide_ex - BYPASSED
knlps10 vs phide_ex - BYPASSED
KProcCheck 0.2 vs phide_ex - NBYPASSED
Process Hunter 1.1 vs phide_ex - BYPASSED

We see that antyrootkits not to find the hidden process. So well you are protected, what think?

http://rapidshare.com/files/342975/phide_ex.exe.html
Back to Top
mxatone View Drop Down
Groupie
Groupie


Joined: 24 October 2006
Status: Offline
Points: 69
Post Options Post Options   Thanks (0) Thanks(0)   Quote mxatone Quote  Post ReplyReply Direct Link To This Post Posted: 24 October 2006 at 9:38am
Impresive, let's reverse that !
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947
Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 24 October 2006 at 9:45am
Originally posted by mxatone mxatone wrote:

Impresive, let's reverse that !
lol. try it. You make me laugh
Back to Top
mxatone View Drop Down
Groupie
Groupie


Joined: 24 October 2006
Status: Offline
Points: 69
Post Options Post Options   Thanks (0) Thanks(0)   Quote mxatone Quote  Post ReplyReply Direct Link To This Post Posted: 24 October 2006 at 10:21am
Originally posted by MP_ART MP_ART wrote:

Originally posted by mxatone mxatone wrote:

Impresive, let's reverse that !
lol. try it. You make me laugh


I think you didn't understand the irony, at least you laugh :)
Back to Top
SpannerITWks View Drop Down
Senior Member
Senior Member
Avatar

Joined: 14 August 2005
Location: United Kingdom
Status: Offline
Points: 896
Post Options Post Options   Thanks (0) Thanks(0)   Quote SpannerITWks Quote  Post ReplyReply Direct Link To This Post Posted: 24 October 2006 at 3:04pm

Reversed it already ! Only kidding lol.

Naughty words in there i see -

There's a typo, should be " your " not " you "

Anyway nice job, Thanx,

Spanner

edit - added pic typo etc



Edited by SpannerITWks - 24 October 2006 at 5:11pm
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4758
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 25 October 2006 at 5:46am
Originally posted by PE386 PE386 wrote:

..........

F-Secure BlackLight 2.2.1042.0 vs phide_ex - BYPASSED
DarkSpy 1.0.5.0 (normal and super mode) vs phide_ex - BYPASSED
DS105fix2beta vs phide_ex - BYPASSED
IceSword 1.18 vs phide_ex - BYPASSED
RkUnhooker 3.0.80.300 vs phide_ex - BYPASSED
UnHackMe 2.5.5.228 vs phide_ex - BYPASSED
bitdefender_antirootkit-BETA1 vs phide_ex - BYPASSED
GMER 1.0.11.11390 vs phide_ex - BYPASSED
knlps10 vs phide_ex - BYPASSED
KProcCheck 0.2 vs phide_ex - NBYPASSED
Process Hunter 1.1 vs phide_ex - BYPASSED
.......


Yes, we all are bypassed. Some new interesting methods are used. We will update our program for next beta to detect this demo rootkit.
Back to Top
PE386 View Drop Down
Groupie
Groupie


Joined: 16 June 2006
Location: Zimbabwe
Status: Offline
Points: 49
Post Options Post Options   Thanks (0) Thanks(0)   Quote PE386 Quote  Post ReplyReply Direct Link To This Post Posted: 27 October 2006 at 6:35pm
New antirootkits test results:

phide_ex vs IceSword 1.20 - BYPASSED
phide_ex vs TaskInfo 6.2 - BYPASSED
Back to Top
EASTER View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 October 2006
Location: United States
Status: Offline
Points: 337
Post Options Post Options   Thanks (0) Thanks(0)   Quote EASTER Quote  Post ReplyReply Direct Link To This Post Posted: 27 October 2006 at 9:55pm

Local Antirootkit tools revealer tests:

phide_ex VS. MODGREPER - IDENTIFIED

phide_ex VS. SVV - IDENTIFIED

phide_ex VS. DriverView - IDENTIFIED

On the other hand just that, was not able to reach the .sys in any fashion with my inventory to disable manually. ProcessView (older app), refused to open it's monitoring feature which gave a red flag a shielding was in progress!

IMPRESSIVE!

Concluded to restart/reboot and approach in different direction, HOWEVER, refused to fully reach Windows GUI even after several repeated attempts (dunno if code or my machine) but, selected Last Known Good Configuration to return to normal screen again.

Conclusion: MOST IMPRESSIVE!

INTENSIVE TECHNICAL RESEARCH ANALYSIS AND STEALTH EXAMINER.
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4758
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 27 October 2006 at 10:12pm
[removed]Driver address available only in deep kernel memory scan. No Windows-info, PE signatures are available.

p.s. We already detected hidden process and will publish special console program-detector in few days.

EDIT: Sorry, my mistake. Not detected by ModGreper. Was my fault.

Edited by EP_X0FF - 27 October 2006 at 10:17pm
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947
Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 28 October 2006 at 2:12am
Successfully detected.

this simple tool implements all of RkU process detection methods +improved.
pwalker

It is not so easy to detect phide_ex, but possible.
Back to Top
 Post Reply Post Reply Page  123 6>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.