It has has been described quite well here<\/a>.<\/p>\n Hiding Processes only<\/strong><\/p>\n If you need to hide the process only, you can use HideToolz<\/a> available for a download from Fyyre’s<\/a> web site.<\/p>\n When the HideToolz is active, the processes marked for hiding are not visible in a Task Manager and can’t be found by normal process enumeration functions.<\/p>\n This is what HideToolz sees (processes marked with an asterisk are hidden)<\/p>\n <\/p>\n And this is what Task Manager can see (Process Explorer as well)<\/p>\n Hiding Files, Folders, Processes, Services, Registry entries<\/strong><\/p>\n When it comes to hiding more stuff, one can use help from the good ol’ Hacker Defender rootkit by HolyFather.<\/p>\n The rootkit uses a configuration file that allows to specify what we want hidden in the environment and that includes:<\/p>\n To set up the Hacker Defender one needs to\u00a0 edit\/change the default configuration file into sth along these lines:<\/p>\n The new configuration file can be now loaded:<\/p>\n And from now on browsing the folders, files, registry keys, names, values and processes, services lists will be available only to processes listed in\u00a0 ‘root processes’ section.<\/p>\n Example: what Regedit sees before installing the rootkit:<\/p>\n and after its installation<\/p>\n What Task Manager sees before<\/p>\n and after rootkit installation<\/p>\n <\/p>\n Obviously, the configuration I provided above is far from being perfect. The VM-specific strings are all over the place inside the registry, so we need to do a bit more of a home work. It is also more than likely that your environment uses different paths and tools.<\/p>\n It would be ideal if VM product developers allowed to completely hide the tools and the environment from the guest OS by e.g. using simple randomization of names, windows titles, processes’ names etc. –\u00a0 a simple technique used for years by many antirootkit tools e.g. XUETR and GMER.<\/p>\n","protected":false},"excerpt":{"rendered":" Seasoned malware analysts\/reversers\/crackers move along – you already know this stuff \ud83d\ude42 Analyzing malware is always challenging as there are a few dozen if not hundreds different ways to detect the virtual environment plus other tools used by reversers during … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/11\/hide_1-300x169.png\" "\\"hide_1\\"")
<\/a><\/p>\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/11\/hide_2-284x300.png\" "\\"hide_2\\"")
<\/a><\/p>\n\n
[Hidden Table]\r\nhxd*\r\nvmu*\r\nvmt*\r\nvmw*\r\ntools*\r\nprocexp*\r\nollydbg*\r\n\r\n[Root Processes]\r\nhxd*\r\nvmu*\r\nvmt*\r\nvmw*\r\ntools*\r\nprocexp*\r\nollydbg*\r\n\r\n[Hidden Services]\r\nHackerDefender100\r\nvmu*\r\nvmt*\r\nvmw*\r\nprocexp*\r\n\r\n[Hidden RegKeys]\r\nVMware, Inc.\r\nSysinternals\r\n\r\n[Hidden RegValues]\r\nvmu*\r\nvmt*\r\nvmw*\r\n\r\n[Startup Run]\r\n\r\n[Free Space]\r\n\r\n[Hidden Ports]\r\n\r\n[Settings]\r\nPassword=infected\r\nBackdoorShell=cmd.exe\r\nFileMappingName=_.-=[Hacker Defender]=-._\r\nServiceName=HackerDefender100\r\nServiceDisplayName=HXD Service 100\r\nServiceDescription=NT rootkit\r\nDriverName=HackerDefenderDrv100\r\nDriverFileName=hxdefdrv.sys\r\n\r\n[Comments]<\/pre>\n
hxdef100.exe hide.ini<\/pre>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/11\/hide_3-300x202.png\" "\\"hide_3\\"")
<\/a><\/p>\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/11\/hide_3a-300x202.png\" "\\"hide_3a\\"")
<\/a><\/p>\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/11\/hide_4-252x300.png\" "\\"hide_4\\"")
<\/a><\/p>\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/11\/hide_4b-252x300.png\" "\\"hide_4b\\"")
<\/a><\/p>\n