Search code examples
winapiconsolenasmmasmdisassembly

ASM Start Process hidden

I have a already compiled C++ console application wich is shown as a little black window. Now i want to disassemble the app and add code to get the Process start hidden. Maybe you can help me finding the api call or if you can explain me how that works. The current Debuger I use is OllyDBG but I also have knowledge in IDA and WDASM32.

Thanks forward!

Solution

  • There are two ways to do this. You can do a code injection to hide the window after it's created or you can change the subsystem that is defined in the PE header.

    The PE header has a flag defining the subsystem the code was compiled against. This will currently be WINDOWS_CUI and you want to change it to WINDOWS_GUI.

    To do the code injection, find a codecave, then patch a JMP at entry point (EP) to this codecave. In the codecave, write the instruction that was overwritten by the JMP then make a call to FreeConsole then JMP back to the instruction after the JMP you patched in at the EP earlier.

    Let me give you an example. I compiled a C program in VC++:

    #include <Windows.h>

int main() {
  Sleep(INFINITE);
  return 0;
}

    If we open up the result binary in OllyDbg, we get something like this:

    1

    Press the big M at the top to get the Memory Map:

    2

    Since our main module is Some_console_App then double click the PE header there which takes us to this:

    3

    Scroll down a bit to find the subsystem:

    4

    As you can see it's set to IMAGE_SUBSYSTEM_WINDOWS_CUI which is defined as 3. We want to set it to IMAGE_SUBSYSTEM_WINDOWS_GUI which is 2. Go back to the CPU window and in the hex dump, go to the address that the subsystem flag was set on. In this case it's 0x0136013C:

    5

    Select the byte you want to change, hit Ctrl-E and change the 3 to 2. Then right-click >> Copy to Executable File. In the File window that pops up, right-click and select Save File.

    Tada! Done. Sorry for large resolutions of pictures.