is it possible to start a prozess with a given pid such that if the pc reboots the process will get the same pid again ?
If this is possible is there a tool around wich can manage that issue ?
tia
greets ch
belgther
Jan 10 2005, 03:55 PM
looks like you have to reverse windows apis... again:( because when a process is opened,it is added to the process table with a random ID, but why do you need such a thing?
IcedOut3E
Jan 13 2005, 03:50 AM
Wants to be all 1337 and shit and make it run PID 1337 or 666 or some shit like that. Thats my guess why.
nackas
Jan 18 2005, 08:34 AM
I suppose by running a program with a low PID on a remote host would decrease the chances of the program being detected by the admin, I guess
belgther
Jan 18 2005, 11:44 AM
QUOTE(nackas @ Jan 18 2005, 09:34 AM)
I suppose by running a program with a low PID on a remote host would decrease the chances of the program being detected by the admin, I guess
why should it decrease the chance? what i know is that PID doesn't change the detection chance since they are all stored on a process table, so even if you run a process with a predefined ID, it will be seen there. I use LordPE to get PID.
White Scorpion
Jan 23 2005, 12:13 PM
belgther is right, try it for yourself: pk2. use this program to view all the processes and their process id's . as you can see it will even show the system processid which on my system is now 4. how low were you planning to go? i'm positive this will not help making the detection chance smaller.....
nackas
Jan 27 2005, 08:42 AM
QUOTE(belgther @ Jan 18 2005, 09:44 PM)
QUOTE(nackas @ Jan 18 2005, 09:34 AM)
I suppose by running a program with a low PID on a remote host would decrease the chances of the program being detected by the admin, I guess
why should it decrease the chance? what i know is that PID doesn't change the detection chance since they are all stored on a process table, so even if you run a process with a predefined ID, it will be seen there. I use LordPE to get PID.
Yes, all the processes are listed, but look at the trend of the PID's. You'll find that many of windows' processes have a low PID and that recently opened programs have larger ones. The task manager process list is default sort by PID, so there is a possibility that the admin/user may only look at high PID's. I could be wrong, but that's just my theory.
Jeeve5
Jan 27 2005, 09:44 AM
Actually you are completely right. Most 'regular' admins don't take a close look at the 2 and 3 digit PIDs on Windows systems since they tend to be leigit processes. Take that and a well chosen proccess name and you are better protected than running winhack.exe with a 1500 PID
belgther
Jan 27 2005, 10:26 AM
ok Jeeve5, but maybe he means the detection chance by a process lister, so you are right that most admins don't suspect a process with a low PID, but when the admin is somehow clever, he can suspect it... but you are right, most admins can be fooled easily...
White Scorpion
Jan 28 2005, 06:44 AM
well, i'm not going into this discussion... if you want to hide a process then i suggest writing a dll and hooking it onto a windows process. this way you will not get any extra process listed in the taskmanager...
belgther
Jan 29 2005, 09:25 AM
QUOTE(White Scorpion @ Jan 28 2005, 07:44 AM)
well, i'm not going into this discussion... if you want to hide a process then i suggest writing a dll and hooking it onto a windows process. this way you will not get any extra process listed in the taskmanager...
well, you are right, but don't forget that you can see the attached DLLs in LordPE or procdump, too... but if you fool the admin using a DLL name that looks like a system DLL, everything is ok...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
