Let's say we are looking for a process in Windows Task Manager, or a connection using the netstat command, and a connection we know should be listed is not listed. There may be rootkit hiding processes in Windows Task Manager or connections in the netstat command. For example, the following installs a rootkit on the system that hides the notepad.exe process and also all HTTP (80) and HTTPS (443) traffic.
- Download rootkit1.zip
Note: Your anti-virus may prevent this file from being downloaded.
- Go to your Downloads folder, and extract the contents of the rootkit1.zip folder
- Move hxdef100.exe and hxdef100.ini to C:\\
- Open hxdef100.ini in Notepad and add the following:
- In the [Hidden Processes] section add notepad.exe
- In the [Hidden Ports] section, add 80 and 443 after TCPO (example: TCPO:80,443)
- Select File > Save
- Type hxdef100.exe -:noservice to start the rootkit
Warning! You need to be aware of what you are doing here. By starting the rootkit, you will no longer be able to view the notepad.exe process or HTTP and HTTPS traffic using the netstat command. If you proceed, ensure you know how to stop the rootkit.
The rootkit is now working. If you open Notepad and go to the processes tab in Task Manager, the notepad.exe process will not be listed. Likewise, if you open a Web browser and go to any website, the netstat command will not produce any output.