Gibontuzu
asked on
Hide process from vista taskmanager
I have seen many codes how to hide process from windows 9x/XP/2k but never seen from vista.So i need a working code in C++ , what do you think can this be done ?
//--------------Hide process win 9x/NT/XP/2k.cpp--------------
#include
#pragma hdrstop
USERES("HiddenApp.res");
USEFORM("Unit1.cpp",Form1);
typedef DWORD (WINAPI *TRegisterServiceProcess)(DWORD,DWORD);
bool registered=false;
//-----------------------------------------------------------------------
void __fastcall reg(bool which) //true=register, false=unregister
{
HMODULE hmod;
TRegisterServiceProcess pReg;
hmod = LoadLibrary("KERNEL32.dll");
if (!hmod) return;
(FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess");
if (!pReg) {FreeLibrary(hmod); return;}
else
{
if (which)
pReg(0,1); //unregister our process
else
pReg(0,0);
}
registered = true;
FreeLibrary(hmod);
}
//-----------------------------------------------------------------------
WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{
try
{
reg(true);
Application->Initialize();
Application->CreateForm(__classid(TForm1), &Form1);
Application->Run();
}
catch (Exception &exception)
{
Application->ShowException(&exception);
}
if (registered) reg(false);
return 0;
}
//--------------eof--------------------------------------------------------
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to go kernel mode and hook ZwQueryProcessInformation and remove your process from the linked list ( that can still be recovered though )
For hiding process in Vista, you have two method:
1) Convert your entire application to DLL and inject it into a trusted application like explorer.exe. If you do everything properly, you'll not have problem with this one.
2) Write a driver which removes your process from linked list, it will help you but in Vista you cannot load unsigned drivers, you can sign your driver which is not a case (as far as I know) or try invented methods to bypass this security restriction.
All is it... :-)
1) Convert your entire application to DLL and inject it into a trusted application like explorer.exe. If you do everything properly, you'll not have problem with this one.
2) Write a driver which removes your process from linked list, it will help you but in Vista you cannot load unsigned drivers, you can sign your driver which is not a case (as far as I know) or try invented methods to bypass this security restriction.
All is it... :-)
All the other replies are correct, you'll need to write a device driver and do that in kernel mode.
You can get pretty good ideas on how to do that in the book: "Rootkits subverting the Windows kernel" by Hudgland.
You can even find some good samples on how to do that in www.rootkit.com
There's even one in codeproject;
http://www.codeproject.com/KB/system/hide-driver.aspx
However, all these techniques will fail in x64 Vista, because of PatchGuard. There will be no way to hide your process in x64 Vista and above.
Hope that helps
- Kelvin
You can get pretty good ideas on how to do that in the book: "Rootkits subverting the Windows kernel" by Hudgland.
You can even find some good samples on how to do that in www.rootkit.com
There's even one in codeproject;
http://www.codeproject.com/KB/system/hide-driver.aspx
However, all these techniques will fail in x64 Vista, because of PatchGuard. There will be no way to hide your process in x64 Vista and above.
Hope that helps
- Kelvin
regards