Thread: Disable patchguard + hide a process on Windows 7 x64

Hello all!

Although I recommend users to just use VM work station and Windows XP x86 as a virtual machine (no modification required to hide/cloak processes)...

I myself could not stand the fact that I was unable to hide my hacks under windows 7/Vista(x64). So I had to seek the method used to disable to mighty PatchGuard implemented by Microsoft to prevent drivers from being loaded that are "un-signed", this is mostly for the protection of your own computer! (which is why this method will give you a choice at the boot menu to enable/disable PatchGuard)


You can use this guide for any hack/game, it's not restricted just for running AIKA cheats/hacks!


1. Download files

First you will need to download:


<<<Or get these files also from my attachments>>>



2. Disable UAC on Windows 7


THIS GUIDE ALSO ASSUMES YOU HAVE UAC(User Account Control) DISABLED!!!(REBOOT PC/VM AFTER DISABLING!)

Windows 7 makes it much easier to deal with UAC settings, and in fact you don’t have to completely disable UAC if you don’t want to. Just type UAC into the start menu or Control Panel search box.



You can simply drag the slider up or down, depending on how often you want to be alerted.




If you drag it all the way down to the bottom, you’ll have disabled it entirely.





3.Install windows 7 on your VM workstation

This step is <<Optional but RECOMMENDED!>>



VMware Workstation (Virtual Machine)

Info: A virtual machine (VM) is a "completely isolated guest operating system installation within your normal host operating system".[1] Modern virtual machines are implemented with either software emulation or hardware virtualization. Click here for more info on VM's




4.Disable patchguard


Step 1:After you have downloaded the files above.. extract them to a folder called "x64_hiding" (just an example use w.e you want) and it should look like the picture below....



Ok... So now that we have our patch files we are ready to go! The Actual patching process is easy, (thanks to fyyre) but its the danger of messing with windows internals that makes this guide for advanced only....


Step 2: Assuming you downloaded the patch files (links above)... The picture below shows the steps and explains a bit of what each file does...




Step 3: Assuming you disabled UAC and rebooted.... Run batch file #1... Success should look like the picture below...(if you got an error 5 reboot PC and try again)



Step 4: After a Successful run of batch file #1, go ahead and run the patcher (2.exe)



Step 5: After a Successful Patch, go ahead and run batch file #3 (this will/should execute checksum.exe)

Now reboot your VM/PC and a boot menu should pop up for 10 seconds asking you if you want patch guard enabled or disabled.



Step 6: After completing all the steps above, windows should load without errors.. (see below on how to uninstall) Now we can use HideCon or anouther process cloaker/hider on your win7 PC!

Code:

How to uninstall:

open cmd.exe and input:

bcdedit /delete {46595952-454E-4F50-4747-554944FEEEEE}

now from \windows\system32 delete: ntkrnlmp.exe & osload.exe

..or simply use default entry "Windows 7" upon boot.

Always remember this:  This patch is for fellow reverse engineers and x64 kernel mode exploration.
This is not for end-users... if you do not understand the 'what' or 'why' -- do not use it.

5.Hide a Process

Step 1 - Installing Process Hider

As i said, you need hidecon (aka Process Hider/HideProc), you can get it from here or its also included in
DisablePG +HideProc~repack.
Once downloaded, you'll need to extract the files from the zip file onto your computer. The easiest place to put it is in a folder on your destkop. I have mine in Destkop\hidecon, and I'm going to base the guide off that. To avoid confusion, it would be best for you to do the same.

Step 2 - Running hidecon

Since hidecon is a command line program and does not have a GUI, you'll have to run it directly from the command line. You'll do this by opening your start menu and typing "cmd" and pressing enter.



You'll now have a command line window open. You now need to navigate to hidecon's location within the command line. This is done by typing "cd C:\Users\<yourusername>\Desktop\hidecon" and pressing enter.



Now that your command line is pointed at hidecon's location, you can run it! This is done by simply typing "hidecon" (the name of the exe file) into the command line and pressing enter!



Hidecon will output all the possible options that you can run it with, for example "hidecon -l", and what each option does.

Step 3 - Loading the ioport3 driver

Now that you're all set up and ready to go, you'll need to load the iport3 driver with hidecon. The iport3 driver allows hidecon to interact with your running processes and modify them. To be able to do this, you'll need to have Patchguard disabled (see ... above for this <<Captain Obvious Strikes Again>>). You'll also need User Account Control (UAC) disabled..... Your user account also needs to be assigned as an administrator.

To load the driver, just type "hidecon -ld" into your command line. If you have everything set up properly, you'll get the output "Driver loaded succesfully.". If not, you haven't done everything properly. I'll post a screenshot of the correct output later, I don't want to disable Patchguard on my work PC.

Step 4 - Finding the process you want to hide.

Next, you need to determine the PID (Process ID) of the program you want to hide. This is done by typing "hidecon -l". Hidecon will then spit out a list of all your running processes, the one you want usually will be near the bottom. Just find the file name that you're wanting to hide, and note the PID of it. We'll just say that my hack is "audiodg.exe" with a PID of 5224.



Step 5 - Hiding the process

This is the last step! Now that you've located the process you wish to hide, you'll enter "hidecon -ph <PID>". For this example, I would type "hidecon -ph 5224". If you've done everything correctly up to this point, you should be rewarded with "Process Hidden". Congratulations! You've just hidden a process. Keep in mind that you'll have to do this each time you run a hack, but you'll get used to it and be able to do it in less than a minute!





-----------------------------------
This Guide uses tools provided by: binary modifications, etc - by Fyyre