开发者

hiding exectables using ADS (Alternate data streams)

i hear that NTFS alternate data streams can be used to hide running executabes.

eg supporse i have an exe called hiddenProgram.exe on windows xp,using cmd.exe or system(char*) calls in c,

type hiddenProgram.exe > c:\windows\system32\svchost.exe:hiddenProgram.exe

start c:\windows\system32\svcho开发者_StackOverflowst.exe:hiddenProgram.exe

starts svchost and at the same time hiddenProgram.exe

but hiddenProgam.exe is not displayed in windows task manager!! unfortunately, svchost is displayed as svchost:hiddenProgram

Qn how can i ensure that hiddenProgram.exe is hidden totally in task manager.


In NTFS you can have one or more streams associated with a file. There is always an unamed stream that everyone knows about, but you can also have named streams which are refered to as Alternate Data Streams (ADS).

starts svchost and at the same time hiddenProgram.exe

No it only starts just the program contained in the stream: svchost:hiddenProgram

How can i ensure that hiddenProgram.exe is hidden totally in task manager

You can't easily. All running processes are shown in the task manager. See @joveha's comment below though.


Implement your virus as a device driver. Device drivers aren't shown in Task Manager.

Admittably, you might have some problems in getting the 64 bits version of your virus signed by Microsoft, and Win64 in general requires signed drivers.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜