In this post, we talk about manipulating the _EPROCESS structure in the kernel and how to hide processes. Overview In most cases, rootkits can hide a process by exploiting various kernel structures such as _EPROCESS. EPROCESS is a kernel memory structure that describes system-related processes, in fact, every process that runs on the system has a unique _EPROCESS object that is stored somewhere in the kernel. This object contains various things like process ID or structures like _PEB (Process Environment Block).

In this post, we explain how to show a process with the information from another process by changing the Block Process Environment (abbreviated as PEB) Overview The information of a process, such as arguments, image location, loaded modules, etc., is stored in a structure called the process environment block (_PEB) in memory, which can be accessed through the userland and whose values can be edited. Tools like ProcExplorer display some process information by looking at the _PEB.

Windows Management Instrumentation (WMI) event subscription is one way to establish persistence on a network. In this post, we will talk about WMI event subscription and its use methods by red teams. Overview Microsoft describes this feature as follows: WMI contains an event infrastructure that produces notifications about changes in WMI data and services. WMI event classes provide notification when specific events occur. Persistence via WMI event sharing usually requires the creation of the following three classes: