I need to hide process from SoftIce - possible?
All variants which I have found can not do it. That on this cause gurus think?
Printable View
I need to hide process from SoftIce - possible?
All variants which I have found can not do it. That on this cause gurus think?
hi .....
this workis for Win 95.... but for the other OS not sure :-D
hope this code snippet helps ya....
regards...Code:Function call
RegisterService(1); //hide the thing!!!
Put this in your header file
//Hide program (Makes it look like a process)
typedef DWORD __stdcall (*TRegis)(DWORD,DWORD);
int RegisterService(int); // hide
//--------------------------------------------------------------------------
-
int RegisterService(int Reg)
{
HINSTANCE hKrnl32;
//This is the location of the kernel32.dll file. It should default to
the
//windows\system directory.
LPCTSTR RspDllName="C:\\Windows\\System\\Kernel32.dll";
LPCTSTR RspName="RegisterServiceProcess";
DWORD Ret;
//Load the kernel32.dll file
hKrnl32 = LoadLibrary(RspDllName);
if (hKrnl32 != NULL)
{
TRegis RegisterServiceProcess = (TRegis) GetProcAddress(hKrnl32,
RspName);
if (RegisterServiceProcess !=NULL)
{
//When you register the process it will not show up in the
//ctrl+alt+del. When you unregister it, it will show up.
Ret = RegisterServiceProcess(NULL, Reg);
}
else
{
return NULL;
}
FreeLibrary(hKrnl32);
return Ret;
}
else
{
return NULL;
}
}
I guess you could somehow hide it from being detected by SoftICE, but what about other debuggers where you explicitly launch a process right in the debugger IDE ? Like OllyDbg for instance. Also, inserting code to detect the presence of SoftICE is rather poinltess as well, because there is of course other plug-ins/tools to hide SoftICE from being detected :rolleyes:
I'm just giving then facts, and the facts state "You can run but you can't hide" ;)