FreeKB - How to hide process and connections in netstat using a rootkit
How to hide process and connections in netstat using a rootkit

Home > Search > How-to

Let's say we are looking for a process in Windows Task Manager, or a connection using the netstat command, and a connection we know should be listed is not listed. There may be rootkit hiding processes in Windows Task Manager or connections in the netstat command. For example, the following installs a rootkit on the system that hides the notepad.exe process and also all HTTP (80) and HTTPS (443) traffic.

  1. Download

Note: Your anti-virus may prevent this file from being downloaded.

  1. Go to your Downloads folder, and extract the contents of the folder
  2. Move hxdef100.exe and hxdef100.ini to C:\\
  3. Open hxdef100.ini in Notepad and add the following:
    • In the [Hidden Processes] section add notepad.exe
    • In the [Hidden Ports] section, add 80 and 443 after TCPO (example: TCPO:80,443)
  4. Select File > Save
  5. Type hxdef100.exe -:noservice to start the rootkit

Warning! You need to be aware of what you are doing here. By starting the rootkit, you will no longer be able to view the notepad.exe process or HTTP and HTTPS traffic using the netstat command. If you proceed, ensure you know how to stop the rootkit.

The rootkit is now working. If you open Notepad and go to the processes tab in Task Manager, the notepad.exe process will not be listed. Likewise, if you open a Web browser and go to any website, the netstat command will not produce any output.


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.