# Process hiding

In the next part of this tutorial, we’re already connected to the target machine. We’ll now hide our Kernel Pack client using its PID, verifying it with Sysinternals. Patching the EPROCESS structure from ring-0 using the Kernel Pack rootkit to hide its process ID.

**A quick recap: What is PID (Process ID)?**
\
A unique identification number for each running process on the operating system.
\
It can be used to terminate or identify processes.
\
In Windows, the PID can be viewed using tools such as tasklist, wmic, or Process Explorer (Sysinternals).
\
In Linux and Unix, the PID is displayed with the ps command. <br>

**What is Sysinternals?**\
A collection of advanced system utilities for Windows.
\
Used to analyse, diagnose, and optimise Windows systems and applications.
\
Users can gain in-depth insight into the workings of the operating system.
\
Examples of Sysinternals tools include Process Monitor, Process Explorer, PsKill, and PsGetSid. <br>

**Using PID in Sysinternals tools:**
\
Sysinternals tools, such as Process Explorer and PsKill, use PID to identify and manage processes.
\
Process Explorer can be used to find and terminate processes based on PID.
\\

\
In summary, PID is a critical part of managing processes on an operating system, and Sysinternals provides several tools that use PID to manage and diagnose processes.

**Hiding a Process Using Kernel Pack**

* Identify the Process\
  Open Sysinternals Process Explorer and locate the process you want to hide.\
  In this example, Kernel Pack's client is running with PID 444. You can also check the PID of the Kernel Pack client when the first connection appears.
* Open Kernel Pack\
  Click on the "Process" button on the left menu.

  A new window will appear displaying various process manipulation options.
* Select the action (in this case, process hide)

  Enter the PID of the target process (444).

  Select the action "Hide process" from the available options.
* Execute the Command\
  Click on "Run command on..." to apply the changes.

{% embed url="<https://youtu.be/AZNg2gJLzkg?si=khdbkc37XZaUo6XL>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://exploit-pack.gitbook.io/exploit-pack-manual-pages/kernel-pack/process-hiding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.