Hiding Windows System Services

Full Version: Hiding Windows System Services

GovernmentSecurity.org > The Archives > General Network Security

DumpZ

Apr 21 2004, 01:17 PM

I was wondering if it's possible to hide system services. Because on my test server/honeypot i saw some processes running which returned every time after boot. I searched the registry i really could find allot. (i'm not really familliar in the registry so maybe that is the problem)

But if it's possible to hide system services is there also a way to unhide it?

Flowers

Apr 21 2004, 02:03 PM

Try this http://hxdef.czweb.org/ (rootkit)
(if hide, it s hard to unhide

)

DumpZ

Apr 21 2004, 03:29 PM

Well thanks but im kinda looking for something to unhide it aswell.

tuby

Apr 21 2004, 03:37 PM

If you're hxdef.ini is good, with a adequat root process, you can uninstall hxdef easily.

For example if in [root process] , u have backcmd.exe (copy of cmd.exe) :

backcmd /c hxdef -:uninstall

After a reboot, you can see/modify/delete your services.

Enjoy'

LKM

Apr 21 2004, 04:53 PM

As the guy before me said, HXDEF has a wide range of interesting use in order to hide / unhide services, process, tasks

I recommend you to try it, and then post here if you've got problems with it.

The only downside is that it made some hidden progs to crash on remote computers :|

phrozen77

Apr 21 2004, 08:17 PM

you may want to try rkd (rootkit detector) from haxorcitos...

-> google

radien

Apr 22 2004, 06:03 AM

Yup, I can remember sometime, that one of my friends keep track of processes(keyloggers/trojans/virii) that hide behind svchost.exe. It's because svchost runs some of windows services somehow. So look for svchost and how to hide behind it.

I hope it helps,

DumpZ

Apr 22 2004, 07:44 AM

Thanks you guys i'm getting started right away

Synchr0

Apr 22 2004, 06:06 PM

thx its nice rootkit:D

Lyeses

Apr 29 2004, 01:44 AM

Hxdef is a good rootkit.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Hiding Windows System Services GovernmentSecurity.org > The Archives > General Network Security DumpZ Apr 21 2004, 01:17 PM I was wondering if it's possible to hide system services. Because on my test server/honeypot i saw some processes running which returned every time after boot. I searched the registry i really could find allot. (i'm not really familliar in the registry so maybe that is the problem) But if it's possible to hide system services is there also a way to unhide it? Flowers Apr 21 2004, 02:03 PM Try this http://hxdef.czweb.org/ (rootkit) (if hide, it s hard to unhide ) DumpZ Apr 21 2004, 03:29 PM Well thanks but im kinda looking for something to unhide it aswell. tuby Apr 21 2004, 03:37 PM If you're hxdef.ini is good, with a adequat root process, you can uninstall hxdef easily. For example if in [root process] , u have backcmd.exe (copy of cmd.exe) : backcmd /c hxdef -:uninstall After a reboot, you can see/modify/delete your services. Enjoy' LKM Apr 21 2004, 04:53 PM As the guy before me said, HXDEF has a wide range of interesting use in order to hide / unhide services, process, tasks I recommend you to try it, and then post here if you've got problems with it. The only downside is that it made some hidden progs to crash on remote computers :\| phrozen77 Apr 21 2004, 08:17 PM you may want to try rkd (rootkit detector) from haxorcitos... -> google radien Apr 22 2004, 06:03 AM Yup, I can remember sometime, that one of my friends keep track of processes(keyloggers/trojans/virii) that hide behind svchost.exe. It's because svchost runs some of windows services somehow. So look for svchost and how to hide behind it. I hope it helps, DumpZ Apr 22 2004, 07:44 AM Thanks you guys i'm getting started right away Synchr0 Apr 22 2004, 06:06 PM thx its nice rootkit:D Lyeses Apr 29 2004, 01:44 AM Hxdef is a good rootkit. This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.