Process hiding through ntdll.ZwQuerySystemInformation hook
ZwQuerySystemInformation function show process list. so before you use this code, you should check the function structure.
ZwQuerySystemInformation
After upgraded to window7, we can load only signed driver on kernel.
So, The way used here is ntdll.ZwQuerySystemInformation hook on user level and then disconnect the link from the process linked list.
When i got a pid, i injected to process that has pid. There is 5 step for dll injection
1. You have to get a handle with the pid.
2. You need to free up memory space for dll inserts.
3. Insert the rootkit dll string into the allocated memory space using WriteProcessMemory.
4. You can get a LoadLibraryA address using GetProcAddress API.
5. Load the dll through LoadLibraryA using CreateRemoteThread.
I'm current korean university student. So, there may be incorrect grammar sentences. And there is also a lack of explanation.
If you have any problems or any question, reply to me your opinion. Thank you!