hiding exectables using ADS (Alternate data streams)
i hear that NTFS alternate data streams can be used to hide running executabes.
eg supporse i have an exe called hiddenProgram.exe on windows xp,usingcmd.exe
or system(char*)
calls in c,
type hiddenProgram.exe > c:\windows\system32\svchost.exe:hiddenProgram.exe
start c:\windows\system32\svcho开发者_StackOverflowst.exe:hiddenProgram.exe
starts svchost and at the same time hiddenProgram.exe
but hiddenProgam.exe is not displayed in windows task manager!! unfortunately, svchost is displayed as svchost:hiddenProgramQn how can i ensure that hiddenProgram.exe is hidden totally in task manager.
In NTFS you can have one or more streams associated with a file. There is always an unamed stream that everyone knows about, but you can also have named streams which are refered to as Alternate Data Streams (ADS).
starts svchost and at the same time hiddenProgram.exe
No it only starts just the program contained in the stream: svchost:hiddenProgram
How can i ensure that hiddenProgram.exe is hidden totally in task manager
You can't easily. All running processes are shown in the task manager. See @joveha's comment below though.
Implement your virus as a device driver. Device drivers aren't shown in Task Manager.
Admittably, you might have some problems in getting the 64 bits version of your virus signed by Microsoft, and Win64 in general requires signed drivers.
精彩评论