Process Hide v1.0

                         by 90210//HI-TECH

0. Abstract
-----------

"Phide"  (process  hide)  is  the  engine  for  the  low level process
manipulating  on  kernel  level,  designed  to  be  used by a userland
process. It supports only nt-based systems (NT4, 2k, XP, 2k3). Process
management  is  done  through  the  playing  with EPROCESS structures.
Thread   that   calls   engine   MUST   have   read/write   access  to
\Device\PhysicalMemory, otherwise engine will fail.

1. Features
-----------

The engine main features are:
- get EPROCESS offset for a given pid.
- hide  the  selected  process by excluding its EPROCESS from the most
low-level  kernel  process list, which starts from PsActiveProcessHead
symbol.
- change selected process image name in run-time.
- patch  UniqueProcess  field  in  all  ETHREADs  that  belong  to the
selected  process  to  hide  it  from  klister-like  tools.
- process  can  be  selected  by  pid  or  directly  by  its  EPROCESS
structure.  This is useful when process is already hidden and you have
to  hide  new thread from klister, because even one thread with a real
pid of its process-creator will compromise the whole process.

Process  hiding  technique is the same, as in the 'fu' rootkit, but my
goal  was  to  make  a small engine callable from r3. For now it's the
only  tool,  which hides processes from klister (i have version 0.3 of
this brilliant software).

Engine  code  doesn't rely on the hardcoded ntoskrnl offsets, that may
vary from one servicepack to another. It only relays on the offsets of
the  needed  EPROCESS  and  EHTREADS fields, because these structs are
different in 4 types of nt-based oses.

2. Usage
--------

ProcessHide proc dwProcess2Hide:DWORD,\
                 dwFlags:DWORD,\
                 pNewImgName:DWORD,\
                 ppEPROCESS:DWORD

Function format is STDCALL.

Parameters:

dwProcess2Hide
  Specifies  the process. May be PID or pointer to EPROCESS structure.
  When  setting dwProcess2Hide to pid, the PH_PROCESS_BY_PID flag must
  be set. Otherwise, set PH_PROCESS_BY_EPROCESS flag.

dwFlags
  Specifies  what  engine  should  do with selected process and how it
  should  interpret  dwProcess2Hide  parameter.  dwFlags  may  be    a
  combination of following flags:
  
  PH_PROCESS_BY_PID
    dwProcess2Hide is a PID.
    
  PH_PROCESS_BY_EPROCESS
    dwProcess2Hide points to a EPROCESS structure.
    
  PH_EXCLUDE_EPROCESS
    Hide specified process by excluding its EPROCESS from the EPROCESS
    linked list, which start from PsActiveProcessHead.
  
  PH_CHANGE_THREADS_PID
    Enumerate  all  threads  that  belong to specified process, change
    their  creator's  pid to 8 (System process) and set process' image
    file  name  to  'System'.  This  is done to avoid detecting hidden
    process by klister tool.

  PH_CHANGE_IMGNAME
    Changes  image  file name of the specified process. Name is set to
    pNewImgName. Note that on XP and above process image name will not
    increase its length - if user supplied name is longer than current
    image name, it will be truncated.
    
pNewImgName
  Points  to  a  null-terminated  ANSI  string  that  will be set as a
  process  image  filename  if  PH_CHANGE_IMGNAME flag is set. Ignored
  otherwise.
  
ppEPROCESS
  Points  to DWORD that the engine sets to the found process' EPROCESS
  pointer. May be NULL if EPROCESS offset is not needed.



Return valules
  If  the  engine  succeeds,  the  return value is zero. If the engine
  fails for some reason, return value will be one of the following:

  PH_ERR_GENERAL
    An exception occured somewhere in the engine while working.
  
  PH_ERR_PROCESS_NOT_FOUND
    Engine  couldn't  find  process  with  specified  PID or specified
    EPROCESS seems to be invalid.
  
  PH_ERR_MUST_SPECIFY_NAME
    Flag PH_CHANGE_IMGNAME is set but pNewImgName is NULL.
  
  PH_ERR_NOT_ENOUGH_MEMORY
    One of the VirtualAlloc engine calls has failed.
  
  PH_ERR_CANT_FIND_NTOSKRNL
    Engine couldn't find ntoskrnl imagebase. Strange.
  
  PH_ERR_CANT_OPEN_SECTION
    \Device\PhysicalMemory  is  protected  by some security program or
    you  haven't enough privileges to open it. By default, only admins
    can do that.
  
  PH_ERR_CANT_LOAD_NTOSKRNL
    Internal engine error: it couldn't load ntoskrnl image for further
    analysis. Strange.
  
  PH_ERR_CANT_FIND_PAPH
    Engine failed to find PsActiveProcessHead offset in ntoskrnl.
    
  PH_ERR_CANT_MAP_SECTION
    Engine  couldn't  map a region of physical memory to some userland
    region. Usually happens in VMWare systems.
  
  PH_ERR_CANT_LOCK_PAGES
    R0 code and data pages couldn't be locked for some reason.

  PH_ERR_CANT_FIND_FREE_DESCRIPTOR
    All GDT entries are present (bit P set). Strange.
  
  PH_ERR_OS_NOT_SUPPORTED
    Only NT4, 2k, XP and 2k3 server are supported.
  

Remarks

  Use  PH_CHANGE_THREADS_PID  very  carefully.  After  this  operation
  threads  will  "disconnect"  from  csrss  -  console  output will be
  trashed. GUI processes may cause bsod on their ExitProcess.
  Note  that  XP  and 2k3 don't set EPROCESS SE AUDIT PROCESS CREATION
  INFO ImageFileName field before first thread start - they do that "a
  bit  later",  so  don't  expect  that  PH_CHANGE_IMGNAME  call  will
  succesfully change the name of the newly created process.