I'm a cybersecurity student working on a school project where I need to code something that creates a process that won't show up in Task Manager and starts with the system. I've heard about using rootkits for this, but I'm kind of stuck and can't find useful resources. Any advice on how to approach this or a roadmap would be really helpful!
3 Answers
Rootkits can definitely do this. To hide a process, you need to understand the _EPROCESS structure that Windows uses. Basically, each process has links that point to other processes, and some malware will unlink itself from this list, which makes it invisible to tools like Task Manager. You might want to check out more about ActiveProcessLinks and how they work. Resources like ired.team have some examples you could look at, even if they focus more on Windows 10. Just be aware that even if it doesn't show up in Task Manager, the process is still there in memory!
While this isn’t strictly a PowerShell issue, you can find some relevant info out there. For instance, malware often uses similar techniques to hide processes. If you want to dive deeper, make sure you understand how Windows manages processes in memory—you might run into tools like WinDBG, which can give you a more hands-on look at kernel structures. Just keep in mind, this is more of an advanced topic, but it can be very enlightening!
Appreciate the suggestion! Might give that a shot.
It sounds like you're trying to go down the rootkit path to hide processes. Just a heads-up, the advanced classes for creating rootkits are typically for experienced cyber security students. If you're just starting out, this might be a bit out of your depth. But hey, maybe you’re looking for ways to see how far you can push your skills, right? Just be careful with where you're trying this out!
Or maybe you’re just unfamiliar with how to get the right info? Don’t worry, we’ve all been there!
Thanks for the insights! I’ll check out that site.