0

Is there a way to make a process hidden without using any Administrator-level priviledges? I am building an antivirus which I want to protect from malware's actions, such as ending the process, or even detecting it. BTW, the targeted operating systems are Windows.

Are there any C++ or C# libraries or examples for how to do this, and is it possible?

user96931
  • 103
  • 4
  • 2
    Think about this: "Is there a way to make a virus hidden without using any Administrator-level priviledges? I am building a virus which I want to protect from antivirus's actions, such as ending the process, or even detecting it." Would it make sense to have this functionality? – Josef Jan 29 '19 at 15:47
  • Can you define "hidden"? – schroeder Jan 29 '19 at 15:51
  • 1
    You - on your lonesome - are looking to build your own antivirus? Without extensive knowledge of the target operating system? – Clockwork-Muse Jan 29 '19 at 18:31
  • @Clockwork-Muse, I am not making a commercial antivirus, but a simple one designed to handle a very specific threat-base. In addition, I am going to leverage others' libraries to ensure that my antivirus is as competent as it can be. – user96931 Jan 29 '19 at 18:54

2 Answers2

1

https://www.apriorit.com/dev-blog/160-apihooks Here's a good tutorial and explination on this. Many antiviruses are taking the same step and using malware like functionality in order to combat malware. Pretty neat how everything is transforming.

Mhook library Several API hooking libraries exist. Typically, they do the following:

Replace the initial part of a defined function code with our own code (also known as trampoline). Upon execution, the function jumps to a hook handler. Store the original version of the replaced code of the defined function. This is required for the defined function to operate properly. Restore the replaced part of the defined function.

About API hooking

Windows API hooking is a process allowing to intercept API function calls. This gives you the control over the way operating system or a piece of software behaves. Some of the software solutions that utilize hooks include: antimalware software, application security solutions, security monitoring tools, system utilities, tools for programming, and many others. API hook types

API hooks can be divided into the following types:

Local hooks: These influence only specific applications.
Global hooks: These affect all system processes.

The type of hook technique for Windows that we cover here belongs to the global type. It affects all processes across all sessions (as opposed to the SetWindowsHooks method, which is limited only to a selected desktop).

J Doe
  • 43
  • 2
  • This doesn't actually create a new, ongoing, process, though, right? Just lets you run your code before (or instead of) the "real" code. – Clockwork-Muse Jan 29 '19 at 18:30
0

I like the idea of using malware techniques - you could always look at process hollowing. It would force any malware to include antivirus methods to detect such programs, oh what a world having the two different techniques flipped on each other.

McMatty
  • 3,192
  • 1
  • 7
  • 16