Exploit Pack - Documentation
  • Exploit Pack
    • Installation guide
    • License Activation
    • First steps
    • Running the network mapper
    • AutoPwn
    • UTF-8 Locator
    • Notepad
    • Reverse shell - One-liners
    • Hex Editor
    • GDB Connector
    • Log your actions
    • Exploits customization
    • Add a Proxy to Exploit Pack
    • Using Reverse Shells
    • XSS Agent - Tunnel
    • Advanced DLL Injections
    • VBS/PS Agent - Remote Access
    • VBS Agent Wizard
    • Exploit Development I
    • Exploit Development II
    • Exploit Development III
  • Control Pack
    • Installation guide
    • License Activation
    • First Steps: Configure Control Pack
    • Launch your first agent
    • Control Pack agent's code
    • Agent connection
    • Java Agent
    • Browser Agent
    • VBS Agent
    • .NET Profiler DLL Agent
    • How to use the DLL + UnHooker Agent
    • .NET shell
    • Python Shell
  • Kernel Pack
    • Installation guide
    • License Activation
    • First Steps: Configure Kernel Pack
    • Generating a new Rootkit
    • Deploying a Rootkit
    • Process hiding
    • Other features
Powered by GitBook
On this page

Was this helpful?

  1. Kernel Pack

Process hiding

PreviousDeploying a RootkitNextOther features

Last updated 2 days ago

Was this helpful?

In the next part of this tutorial, we’re already connected to the target machine. We’ll now hide our Kernel Pack client using its PID, verifying it with Sysinternals. Patching the EPROCESS structure from ring-0 using the Kernel Pack rootkit to hide its process ID.

A quick recap: What is PID (Process ID)? A unique identification number for each running process on the operating system. It can be used to terminate or identify processes. In Windows, the PID can be viewed using tools such as tasklist, wmic, or Process Explorer (Sysinternals). In Linux and Unix, the PID is displayed with the ps command.

What is Sysinternals? A collection of advanced system utilities for Windows. Used to analyse, diagnose, and optimise Windows systems and applications. Users can gain in-depth insight into the workings of the operating system. Examples of Sysinternals tools include Process Monitor, Process Explorer, PsKill, and PsGetSid.

Using PID in Sysinternals tools: Sysinternals tools, such as Process Explorer and PsKill, use PID to identify and manage processes. Process Explorer can be used to find and terminate processes based on PID. In summary, PID is a critical part of managing processes on an operating system, and Sysinternals provides several tools that use PID to manage and diagnose processes.

Hiding a Process Using Kernel Pack

  • Identify the Process Open Sysinternals Process Explorer and locate the process you want to hide. In this example, Kernel Pack's client is running with PID 444. You can also check the PID of the Kernel Pack client when the first connection appears.

  • Open Kernel Pack Click on the "Process" button on the left menu.

    A new window will appear displaying various process manipulation options.

  • Select the action (in this case, process hide)

    Enter the PID of the target process (444).

    Select the action "Hide process" from the available options.

  • Execute the Command Click on "Run command on..." to apply the changes.