Most of the focus these days are on bad security practices that lead to an initial vulnerability on a system. But more often than not, no thought is given to what a malicious entity can do once gaining privileged access to a system.
After exploiting a vulnerable machine to gain access, A hacker must then choose how they want to leverage this over the user. Sometimes they will change internet connection settings to point the user to a malicious DNS server, or encrypt all of the users files, demanding a ransom for non existent decryption keys.
However, some may choose to install malicious code or programs to take advantage of the user. They will strive to try their best to hide this software from the user to make sure it gets left alone for as long as possible. This is where hidden processes come into play...
Okay hold on; first what is a process? Wikipedia defines a computer process as "an instance of a computer program that is being executed. It contains the program code and its current activity."
In normal people speak, it is a program loaded in memory that is currently being executed on the target machine. For instance, the web browser that you are reading this on now likely has multiple processes. A process can either be part of an existing program or can be its own entire, self contained thing.
By that logic, a hidden process is just a program (or part of one) running on a users machine that they cannot necessarily see or interact with. This means that the user is also likely not aware that the process is running either.
The Microsoft TechNet documentation states "[SC] communicates with the Service Controller and installed services. SC.exe retrieves and sets control information about services. You can use SC.exe for testing and debugging service programs." Basically, they're saying it is a developer tool used for diagnosing issues with windows services.
A "service" is the official name given to any process running on a windows system that runs in the background without the user being able to interact with them.
SC has a plethora of incredibly interesting attributes, but the main one we are interested in for now is create. Create is used to, well, create a new service.
start
defines when the service will start. boot
will
load the service in the windows bootloader. system
will load the
service during the initialisation of the windows kernel. auto
is
a service that loads upon restart and runs even if no one is logged into the
computer.
binpath
is used to specify the directory of the binary file executed
by the service. This allows us to point our service at any arbitrary executable;
we can even pass command line arguments to the executable!
failure
is our next handy function. It can be used to specify what
actions are taken when the service fails. reset
is the amount of time
in seconds that can pass before an action is taken; we can SPECIFY this action.
command
allows us to set an arbitrary command that can be run via
reset
For this application, this isn't needed, but you can modify ANY service to run an arbitrary command.
sc.exe create badService binpath= "cmd.exe /c c:\test.exe" type=own start=auto
This is our test service. It executes a test executable on the root of the install drive. Upon starting it, we receive the error: "The service did not respond to the start or control request in a timely fashion". This simply means that the application we are trying to force to run as a service simply isn't responding in the correct manner after starting.
This isn't a problem usually, and we have mitigated its affects by launching our test executable as a child of the process executed by the service call; but it is still possible for things to go wrong and the service to timeout before out test executable loads.
To fix this, we just need to modify the registry entry ServicesPipeTimeout. This registry entry controls how long windows will wait for a service to respond after starting. It is essential to change this when running a non service application.
Modifying the registry to ignore our weird service is easy and can be done with the following command:
REG add HKLM\SYSTEM\CurrentControlSet\Control /v ServicesPipeTimeout /t REG_DWORD /d 4294967295
This sets the timeout to 0xffffffff seconds, which should be more than enough for our service. It also helps stop SCM from killing the service before it loads our executable. This registry modification will not take effect until the next system reboot.
Shutdown -r -f -t 00
This next command should force an instant restart, which will apply all our changes and start our new hidden processes.
This is a very quick and easy way to start a hidden program on a computer; However it doesnt work with all kinds of programs. It generally works best on programs that would run constantly, or for launching GUI programs without their GUI. You can also take advantage of this to load in third party drivers into a system; there may even be some way of using services on boot to perform all manner of operations that the end user may not be aware of!