thank sahir
now I am thinking in semantics and I about fitting the pieces.
I have read about the Fu which uses a technique known as DKOM (Direct Kernel Object Manipulation) to hide processes. It manipulates the data structures used by the Windows kernel to hide processes (specifically it removes the process from the EPROCESS linked list in the kernel). which makes the process invisible to Windows.
I tried a debugger to actually see the EPROCEESS block and study literatures about kernel debugging and I found out alot.
let’s look at a program say Microsoft Word which when executed as a process could give birth to other instance of the same process(documents). - document 1(process1),document2(process2) and document 3(process3)
The question now is how comes about process 1, 2 and 3 in Microsoft word, and how does process 1 know what set of resources are been allotted to the program Microsoft Word while executing the program. Actually, it is the Window API functions such as createprocess, ntcreateprocess, createprocessasuser that are responsible for creating process 1, 2 and 3 within the Microsoft Word program. Each Windows process is represented by what we call the Executive Process Block (a.k.a Eprocess). Eprocess block has the ‘attributes’ of the process and other related data structure like Kernel Process Block (KProcess) and Process Environment Block (PEB).
In order to understand all these terms, we need to download a debugging tool for Windows and start windbg.exe in the kernel debugging mode. I used a debugging tool called Livekd .Some of these commands will give you a clear view of the data structure.
dt_Eprocess command gives the Eprocess data structure
dt_Kprocess gives the Kernel Process Block
!process give the address of PEB
When you use a debugging tool to view the kernel process block, you will see fields like:
dispatcher
Resident kernel stack count
Default thread quantum
Thread seed
Attribute field like the image filename and image base address are two field in the Process block that will let process 1, 2 and 3 know the resources used by the Microsoft Word program. Since the createprocess function creates the instances of process 1, 2 and 3 lets now see the stages of the process creation
Stage 1: open EXE and create section object
Stage 2: create Windows Process Object
Stag 3: create Window Thread Object
Stage 4: notify Windows subsystem
Stage 5: start execution of the internal thread
In our example above since Microsoft Word is an executable file in Windows (winword.exe), it is used directly in the createprocess. However if the image is a non windows program createprocess goes through a series of steps to find a Windows support image to run it, then the createprocess calls a second function call ntcreateprocess to create a Windows Process Object which will run the image
sose
have a super week
