Rootkit Hide Processes

Code

https://github.com/S12cybersecurity/S12URootkit

👁️‍🗨️ User-Land Rootkit: Hiding Processes with Loki Rat

This video shows how Loki Rat hides running processes using a user-land rootkit technique.
A rootkit is a set of methods that hides files, registry keys, or processes to avoid detection by users or security tools.

🎯 Goal of this technique

The goal is to hide malicious processes—like usermodkit.x—from:

• Task Manager

• Process Explorer

• Process Hacker
  This way, even if the malware is active, it won’t be visible in any standard process list.

🧠 How it works

1. DLL Injection

   • Loki Rat injects a malicious DLL into a target process.

   • In this case, the DLL is injected into Task Manager itself.

2. Function Hooking

   • The malware hooks the NtQuerySystemInformation function.

   • This Windows API is responsible for listing all running processes.

3. Process Filtering

   • When a tool like Task Manager asks for the process list, the hook intercepts the request.

   • The custom hook function removes any matching hidden processes before sending the data back.

   • Result: The system acts like those processes never existed.

🧰 Technical Breakdown

• API Hooking Library:
  Loki Rat uses Microsoft Detours to redirect API calls.

• Hook Setup Location:
  Inside the DllMain() function during the DLL_PROCESS_ATTACH event.

• Steps to Hook:

  1. Use GetModuleHandle() and GetProcAddress() to get the original address of NtQuerySystemInformation.

  2. Start a Detours transaction.

  3. Attach the custom function.

  4. Commit the transaction.

• Inside the Hook:

  • First, the original NtQuerySystemInformation is called to get all processes.

  • Then, it checks each process name against a list of names to hide (stored in an array or vector).

  • Matches are removed from the list.

  • Finally, the cleaned-up process list is returned.

🛡️ Why this works

Most antivirus and EDR systems look at processes using the same functions as Task Manager.
Since the hook alters what those tools receive, it becomes much harder to detect the malware.
This method works especially well against basic and mid-level defenses.

🧪 Demo (Proof of Concept)

1. Run the user-mode rootkit binary (UserRootkit.exe).
   This must be run as administrator.

2. Once it’s running, you can send commands to hide specific processes.

3. Even with Task Manager open, the hidden processes will not appear.

4. Note: Debugging this from Visual Studio is difficult because the DLL is injected into another process.

✅ Summary

The process hiding technique in Loki Rat uses:

• DLL Injection

• Function hooking with Detours

• Memory filtering of process lists

This keeps malicious processes hidden from users and tools that rely on standard system APIs.
It’s a powerful way to stay invisible in plain sight.