This tools is allowed to use only for penetration testing and other white-hat activities. Malicious use is absoloutly frobidden!
ProcessHider is a post-exploitation tool designed to hide processes from monitoring tools such as Task Manager and Process Explorer, thus preventing the admins from discovering payload’s processes. The tool works on both 32 and 64 bit versions, by self detecting the OS version and using the right version of the tool.
call the main file, ProcessHider, which is under MainFile/, from cmd, using the following options: -i – specify process IDs that you want to hide, seperated by commas (without space!) -n – specify process names that you want to hide, seperated by commas (again, no spaces) -x – specify monitoring applications you want to avoid, other than defaults (powershell.exe,taskmgr.exe,procexp.exe,procexp64.exe,perfmon.exe)
example usage: ProcessHider -i 5454,3672 -n “chrome.exe,notepad.exe” -x “cmd.exe”
note: you need to use at least one of -i or -n. The hider will make sure to hide itself as well.
Structure and operation
First, the hider checks whether the OS is 32 bit or 64 bit, and chooses the right version to use. Then, it launches a daemon, which looks for one of the frobidden monitoring tools. When it finds one – it uses DLL injection to launch the payload – which hooks the call to NtQuerySystemInformation – the method the OS tools use to enumerate active processes, and deletes each of the processes specified (and the daemon) from the results. Passing processes information to the injected DLL is done by a file, whose location is hardcoded.