Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[help] Having troubles getting it to work #5

Open
aegyed91 opened this issue Dec 5, 2017 · 6 comments
Open

[help] Having troubles getting it to work #5

aegyed91 opened this issue Dec 5, 2017 · 6 comments

Comments

@aegyed91
Copy link

aegyed91 commented Dec 5, 2017

Hi @landhb, i compiled the driver and the loader. Copied Rootkit.sys to C:\Windows\System32\drivers\

In the loader.c file i got #define DRIVER "C:\\Windows\\System32\\drivers\\Rootkit.sys" when i compile.

When i try to hide a process this is the STDOUT i get:

C:\Windows>dkom.exe Ditto_deleted.exe

 Basic DKOM Rootkit to Hide a Process
 Usage : loader.exe [process name]
 Author: Bradley Landherr


[+] Discovered PID of process Ditto_deleted.exe: 1208
[*] Grabbing driver device handle...
[*] Loading driver.
[-] Error loading driver: The system cannot find the path specified.

LALA: 3
[-] Error creating handle: The system cannot find the path specified.

Ignore LALA: 3 :D I think the error happens at StartService(svcHandle, 0, NULL) == 0 it is like the loader cannot find the driver

any ideas?

OFF: on win 10 ver 1703 (rs2) build 15063 enterprise it only works for you about ~30minutes before BSOD?
@ghost
Copy link

ghost commented Dec 18, 2017
edited by ghost
Loading

This is the error I encountered, any solution?

 C:\Windows>dkom.exe cmd.exe
 
  Basic DKOM Rootkit to Hide a Process
  Usage : loader.exe [process name]
  Author: Bradley Landherr
 
 
 [+] Discovered PID of process cmd.exe: 1740
 [*] Grabbing driver device handle...
 [*] Loading driver.
 [-] Error loading driver: This driver has been blocked from loading
 
 [-] Error creating handle: This driver has been blocked from loading

Thanks!

EDIT: problem fixed, just need to compile a x64 driver

@jodimary
Copy link

I am also getting:
[-] Error loading Driver: The system cannot find the path specified.
[-] Error creating handle: The system cannot find the path specified.

Any help is greatly appreciated,
Thanks for your work!

@landhb
Copy link
Owner

landhb commented Feb 28, 2018
edited
Loading

@jodimary Did you also build the driver and place it in the path defined at:

https://github.com/landhb/HideProcess/blob/master/loader/loader.c#L8

You can change that define statement to point to wherever your .sys file is.

@jodimary
Copy link

jodimary commented Mar 1, 2018

Hi Bradley,
Thanks so much for replying. I tried it again and it was successful so it must have been something I did incorrectly through the process.

Just want to say thank you, as I have been looking for exactly this, that works on Windows 10 for a while, as my university dissertation is regarding memory forensics.

Thank you!!

@landhb
Copy link
Owner

landhb commented Mar 4, 2018

No problem! Hope it helps, good luck!

@h2dajeffers
Copy link

Using a win8.1 VM, will this code work in this OS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aegyed91 @landhb @jodimary @h2dajeffers