Hiding FB app from CTRL ALT DEL *PROCCESSES* not APPS

Windows specific questions.
GMWeezel
Posts: 38
Joined: Aug 10, 2005 22:34

Hiding FB app from CTRL ALT DEL *PROCCESSES* not APPS

Postby GMWeezel » Aug 15, 2005 19:24

I am lloking for a way to hide a FreeBASIC program from the CTRL ALT DEL taskmanageer. I already know you can hide it from thew applications tag by calling a compiler command line code of "-s gui" and dont call a screen mode but the program will still show up under the proccesses tab as "programname.exe." Is there a way to prevent this? Note: this is mainly for windows XP and NT.
Joakim_ar
Posts: 36
Joined: Jun 05, 2005 20:48

Postby Joakim_ar » Aug 15, 2005 21:24

Just out of curiousity, why would you want this?

I hope this is not possible at all, but I could be wrong.
MystikShadows
Posts: 612
Joined: Jun 15, 2005 13:22
Location: Upstate NY
Contact:

Postby MystikShadows » Aug 15, 2005 21:40

yeah it's possible...VB does it fine ;-)....but I don't know how exactly to do it...I think it's got to do with whether you run it as a process or a service...or something...but I don't have the exact info
GMWeezel
Posts: 38
Joined: Aug 10, 2005 22:34

Daemon

Postby GMWeezel » Aug 15, 2005 22:20

Im trying to create a special system daemon. I think MystikShadows has the right idea.
VirusScanner
Posts: 775
Joined: Jul 01, 2005 18:45

Postby VirusScanner » Aug 17, 2005 0:54

I believe it has to run as the SYSTEM user, which services do, but if you check the "Show processes from all users" box, it should show everything. I don't think it's possible to hide things from Administrators, but maybe users with lower privledges. Task manager just uses some kind of process enumeration function, doesn't it? So nothing should be able to hide from it because windows starts all processes.
Shadowwolf
Posts: 341
Joined: May 27, 2005 7:01
Location: Canada
Contact:

Postby Shadowwolf » Aug 17, 2005 1:11

well you could hide a program from system admin as well if you take a page from viruses and inject the program into the memorey space of another process as a active Thread.
etko
Posts: 113
Joined: May 27, 2005 7:55
Location: Slovakia
Contact:

Postby etko » Aug 17, 2005 10:23

I think there is no way to easy hide process in NT family, (or you must use some special non standard stealth techniques, or something like mentioned injecting technique ). Even in healthy system there are all services and processes visible, and in infected including trojans and viruses which have process.

NT was designed to be multiuser from the ground up, so to prevent your process from ending it could run under SYSTEM credentials and desktop session should be opened under user which doesn't have right to terminate SYSTEM processes. Hovever Adminstrator user which people normally use is able to terminate almost everything.
There are special kind of processes called services. To hide your process you may want to implement it like DLL and use svchost.exe (Service Host ;) ) to load it up. Even then the admin is able to terminate svchost (but at least you hide yours process name behind it). Anyway killing any svchost instance is very bad idea as single svchost process often "runs" several quite vital services. I'm not talking about that, that services are not allowed to open any windows, be it GUI or console.

Sure it's possible to hide process but doing it will cost you some heavy digging on net ;).

On Win9x machines it is suffisant to register running process as service through some RegisterServiceBla Win32 function and it will automatically dissapear from tasklist. Inversely uregistering it, will make your process pop up. I've done it before in some VB app ;).

However many special tools like sysinternals process explorer and so are able to show even some lame hidden processes on NT and services on Win9x and if your admin uses these tools it is quite hard to hide. He can use even filemon to trace file writes and when he is good enoug to identify you.
Shadowwolf
Posts: 341
Joined: May 27, 2005 7:01
Location: Canada
Contact:

Postby Shadowwolf » Aug 17, 2005 11:04

oh ya forgot the link on some injection demos

http://www.codeproject.com/threads/winspy.asp
peck
Posts: 24
Joined: Aug 04, 2005 1:12
Location: Sweden

Postby peck » Sep 05, 2005 16:40

Well... Heavy digging, I dunno about that. But sure, some digging is required.

By setting debugpriviledges on the process you wish to hide it via and then inject a LoadLibrary-call that loads your application as a dll to the remote process it won't show up using the normal taskmanager. Of course an advanced taskmanager will show what dll's are loaded by all processes, and if you wanna hide it from this method as well you have to do pure injecting.

Injecting ALL of the executable code is a nightmare but very possible, but the code itself needs to be written with some tweaks. You cannot use variables the way you normally do, but you can inject a struct into the process together with the code and then pass the pointer to the struct when injecting.

I would use the dll-injection instead tho just for simplicity.

/Peter

Return to “Windows”

Who is online

Users browsing this forum: No registered users and 2 guests