Process hiding

In the next part of this tutorial, we’re already connected to the target machine. We’ll now hide our Kernel Pack client using its PID, verifying it with Sysinternals. Patching the EPROCESS structure from ring-0 using the Kernel Pack rootkit to hide its process ID.

A quick recap: What is PID (Process ID)? A unique identification number for each running process on the operating system. It can be used to terminate or identify processes. In Windows, the PID can be viewed using tools such as tasklist, wmic, or Process Explorer (Sysinternals). In Linux and Unix, the PID is displayed with the ps command.

What is Sysinternals? A collection of advanced system utilities for Windows. Used to analyse, diagnose, and optimise Windows systems and applications. Users can gain in-depth insight into the workings of the operating system. Examples of Sysinternals tools include Process Monitor, Process Explorer, PsKill, and PsGetSid.

Using PID in Sysinternals tools: Sysinternals tools, such as Process Explorer and PsKill, use PID to identify and manage processes. Process Explorer can be used to find and terminate processes based on PID. In summary, PID is a critical part of managing processes on an operating system, and Sysinternals provides several tools that use PID to manage and diagnose processes.

Hiding a Process Using Kernel Pack

• Identify the Process Open Sysinternals Process Explorer and locate the process you want to hide. In this example, Kernel Pack's client is running with PID 444. You can also check the PID of the Kernel Pack client when the first connection appears.

• Open Kernel Pack Click on the "Process" button on the left menu.

  A new window will appear displaying various process manipulation options.

• Select the action (in this case, process hide)

  Enter the PID of the target process (444).

  Select the action "Hide process" from the available options.

• Execute the Command Click on "Run command on..." to apply the changes.