Video Tutorial Windows API Hooking - How to hide process from Task Manager

[albfx]

forgive me for dumb questions I'm trying to understand the code...

   // nop any stolen bytes in src
    for (int i = 14; i < len; i++)
    {
        *(BYTE*)((uintptr_t)src + i) = 0x90;
    }

Why erase first 14 bytes of src function? Just for safety since it will not be called anymore?

    oNtQuerySystemInfo = (tNtQuerySystemInfo)TrampHook64((BYTE*)oNtQuerySystemInfo, (BYTE*)hkNtQuerySystemInfo, 16);

Is there a reason to steal the first 16 bytes? Could be for example 32 or put the jump in the middle of the func?

This is not a inline hook on the original func address (so you erased it), u are replacing the address of the funk on the IAT, right?

 NTSTATUS status = oNtQuerySystemInfo(SystemInformationClass,
        SystemInformation,
        SystemInformationLength,
        ReturnLength);

    if (SystemProcessInformation == SystemInformationClass && STATUS_SUCCESS == status)
    {
        // Loop through the list of processes
        _SYSTEM_PROCESS_INFORMATION* pCurrent = nullptr;
        _SYSTEM_PROCESS_INFORMATION* pNext = (_SYSTEM_PROCESS_INFORMATION*)SystemInformation;

Anyone knows how to access the data returned at systemInformation without use the struct. I tried pCurr + 0x04 or (char *)pCurr + 0x04 to see the number of threads but no way to make it works. If anyone have examples manipulating the data like this is very welcome.

 

[Rake]

Why erase first 14 bytes of src function? Just for safety since it will not be called anymore?

If by accident you jump inside the NOPS, it won't cause problems. But honestly, the best reason to do this, is to help you visualize what you're doing when inspecting it with a debugger. If you didn't NOP them, it would be a bit confusing to look at.

    oNtQuerySystemInfo = (tNtQuerySystemInfo)TrampHook64((BYTE*)oNtQuerySystemInfo, (BYTE*)hkNtQuerySystemInfo, 16);

Is there a reason to steal the first 16 bytes? Could be for example 32 or put the jump in the middle of the func?

This is not a inline hook on the original func address (so you erased it), u are replacing the address of the funk on the IAT, right?

the x64 hook I'm using is minimum 14 bytes, the stolen bytes is 16 in length, so you have to use 16.
It is not a IAT hook, it's a regular trampoline function hook.

If you did the GHB, you wouldn't need to ask these questions. You should do these:
Guide - How to Hook Functions - Code Detouring Guide
Video Tutorial - C++ Detour / Hooking Function Tutorial
Video Tutorial - x86 Trampoline Hook Source Code SwapBuffers Hook

The GHB teaches you everything in the order you need to learn it, all you have to do is do it.

 NTSTATUS status = oNtQuerySystemInfo(SystemInformationClass,
        SystemInformation,
        SystemInformationLength,
        ReturnLength);

    if (SystemProcessInformation == SystemInformationClass && STATUS_SUCCESS == status)
    {
        // Loop through the list of processes
        _SYSTEM_PROCESS_INFORMATION* pCurrent = nullptr;
        _SYSTEM_PROCESS_INFORMATION* pNext = (_SYSTEM_PROCESS_INFORMATION*)SystemInformation;

Anyone knows how to access the data returned at systemInformation without use the struct. I tried pCurr + 0x04 or (char *)pCurr + 0x04 to see the number of threads but no way to make it works. If anyone have examples manipulating the data like this is very welcome.

Just use the struct, don't be retarded

 

[xmaple555]

hi author, i'd like make sure that define __in and __out .

NtQuerySystemInformation(
  IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
  OUT PVOID               SystemInformation,
  IN ULONG                SystemInformationLength,
  OUT PULONG              ReturnLength OPTIONAL );

above type is from NTAPI Undocumented Functions

so, i define type as shown below

typedef NTSTATUS(WINAPI* tNtQuerySystemInfo)(
    __in       SYSTEM_INFORMATION_CLASS SystemInformationClass,
    __out    PVOID SystemInformation,
    __in       ULONG SystemInformationLength,
    __out  PULONG ReturnLength
    );

am i doing right?
there is a bit difference from your code, but they both work.

and i am curious why did u define __inout and __out_opt.
thank in advance.

 

[Rake]

@xmaple555

in = regular argument
out = passed by reference or pointer (gets set by the function)
opt = optional, you can pass in null/nullptr

You do not need them at all, they are ignored by the compiler and only there for readability purposes.

 

[alucard1133]

Hey Hope everyone is well, got a few questions after going through specific parts of GHB, so I downloaded the zip file and gh injector, when injecting the "API Hooking DLL" into "taskmgr.exe" I get this error "Error = 0x10100009" and tried using a written injector and says file is not on my desktop. (as in the dll)

 

[Rake]

Hey Hope everyone is well, got a few questions after going through specific parts of GHB, so I downloaded the zip file and gh injector, when injecting the "API Hooking DLL" into "taskmgr.exe" I get this error "Error = 0x10100009" and tried using a written injector and says file is not on my desktop. (as in the dll)

A log file is generated, post that next time

#define SR_NTCTE_ERR_REMOTE_TIMEOUT 0x10100009 //WaitForSingleObject : win32 error : execution time of the shellcode exceeded SR_REMOTE_TIMEOUT

reset to default settings
compile in release mode

follow the trouble shooting steps here:
Download - GuidedHacking DLL Injector

I recently downloaded and injected this project without any issues

Try Download - Extreme Injector v3.6.1 Download and report back

 

[alucard1133]

A log file is generated, post that next time

#define SR_NTCTE_ERR_REMOTE_TIMEOUT 0x10100009 //WaitForSingleObject : win32 error : execution time of the shellcode exceeded SR_REMOTE_TIMEOUT

reset to default settings
compile in release mode

follow the trouble shooting steps here:
Download - GuidedHacking DLL Injector

I recently downloaded and injected this project without any issues

Try Download - Extreme Injector v3.6.1 Download and report back

Hey thanks for your help, I did a bit of research in the guides and managed to get it all sorted, you guys are great.
Just for the feedback, in re to Extreme Injector it did not load up for me, and I have .net framework and all that jazz already.
Also for GH Injector It still gave me this error,
Target : Taskmgr.exe
Target PID : 14892
Source : NtCreateThreadEx.cpp in SR_NtCreateThreadEx at line 202
Errorcode : 0x10100009
Advanced errorcode : 0x00000102
Injectionmode : LoadLibraryExW
Launchmethod : NtCreateThreadEx
Platform : x64/x86 (native)"\

overall everything worked out fine thanks again and sorry for taking your time