HackTool.Win32.Hider.AA

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Hacking Tool does the following:

• It hides the following:
  • Files
  • Directories
  • Registry Key
  • Registry Values
• Protects specific processes
• Exclude specific processes from hiding and protecting features
• Accepts the following commands:
  hiddencli [mode] [connection] [perform]
  mode:
  
  By default perform current commands
  
  • /install [%driver%] → Install commands to registry without execution, driver will load them onstart. If this flag is set connection parameters shouldn't be set. Optionalparameter is used for set valid registry path if driver name is changed, by default \"hidden\"
  • /uninstall [%driver%] all → Uninstall all configs from registry. This flag is all-sufficient therefore if this flag is set no other parameters and commands should be set after
  
  Connection:
  
  • /gate <%name%> Set specific connection gate name. By default \"HiddenGate\" is used
  
  Perform:
  By default perform one command by one execution
  
  • /multi → Enable multiple commands per execution, just type commands one by one without any separator
  • /config <%path%> → Loads multiple commands from file, each command should be on separate line
  
  Commands:
  
  • /state → Enable or disable hidden
  • /query state → Get enforcement state
  • /hide <%path%> → Hide filesystem or registry object by path
  • /unhide all → Unhide all filesystem or registry object by selected type
  • /unhide <%ruleid%> → Unhide all filesystem or registry object by selected type and rule ID
  • /ignore image [inherit:] [apply:] <%path%> → Set rule that allows to see hidden filesystem and registry objects for processes with specific image path
  • /unignore <%ruleid%> → Remove rule that allows to see hidden filesystem and registry objects by rule ID
  • /unignore all → Remove all rules that allow to see hidden filesystem and registry objects
  • /ignore pid [inherit:] <%pid%> → Turn on abillity to see hidden filesystem and registry objects for specific process by PID
  • /unignore pid <%pid%> → Turn off abillity to see hidden filesystem and registry objects for specific process by PID
  • /protect image [inherit:] [apply:] <%path%> → Set rule that allows to enable process protection for processes with specific image path
  • /unprotect <%ruleid%> → Remove rule that enables process protection by rule ID
  • /unprotect all → Remove all rules that enable process protection
  • /protect pid [inherit:] <%pid%> → Turn on protection for specific process by PID
  • /unprotect pid <%pid%> → Turn off protection for specific process by PID
  • /query process <%pid%> → Query information about state of the process by PID
  
  Options:
  
  • inherit:none → Disable inheritance of protected or ignored state
  • inherit:once → Child process will inherit the same state but its children no
  • inherit:always → Child process will inherit the same state and its children too
  • apply:forall → Apply policy for existing processes and for all new processes
  • apply:fornew → Don't apply policy for existing processes only for new