dluedi
asked on
Hide application in Windows XP
Hello, I need my program to disappear from the taskmanager in the PROCESSES tab.
To hide it from the application tab I use this
Application.Title:='';
Acutally I am not expecting any answers because I think it's not possible to hide a process.
But I thought of this: Maybe it's possible to just delete the string that contains my application-name from the stringlist in the taskmangager... and like that I could hide the app.
Thank you
To hide it from the application tab I use this
Application.Title:='';
Acutally I am not expecting any answers because I think it's not possible to hide a process.
But I thought of this: Maybe it's possible to just delete the string that contains my application-name from the stringlist in the taskmangager... and like that I could hide the app.
Thank you
ASKER
Well I was just in a hurry of course I am using what you say.
But what about my idea is that difficult to to?? Maybe it's the only way
But what about my idea is that difficult to to?? Maybe it's the only way
It is impossible in XP and NT
create it as a service.
it is quite possible, by hooking NtQuerySystemInformation, you can achive the desired result.
ASKER
DragonSlayer: Don't you see services there too?!???
akcom:Well if you've got an idea then go ahead!
Thank you all!
akcom:Well if you've got an idea then go ahead!
Thank you all!
at the user level:
you could use a simple iat patch to redirect calls to NtQuerySystemInformation to a callback function of yours,
then all you would do is read each entry, and if the entry contains your filename, then just skip it and modify the result value that states the size.
at the kernel level:
just overwrite NtQuerySystemInformation's
you could use a simple iat patch to redirect calls to NtQuerySystemInformation to a callback function of yours,
then all you would do is read each entry, and if the entry contains your filename, then just skip it and modify the result value that states the size.
at the kernel level:
just overwrite NtQuerySystemInformation's
ASKER
Well, sounds good, but no clue how to do that. How about some code???
you can use madshi's CodeHook unit, or the modified AfxCodeHook unit for hooking the call
heres a callback function + required structs:
type
IO_COUNTERS = record
ReadOperationCount:Int64;
WriteOperationCount:Int64;
OtherOperationCount:Int64;
ReadTransferCount:Int64;
WriteTransferCount:Int64;
OtherTransferCount:Int64;
end;
VM_COUNTERS = record
PeakVirtualSize:ULONG;
VirtualSize:ULONG;
PageFaultCount:ULONG;
PeakWorkingSetSize:ULONG;
WorkingSetSize:ULONG;
QuotaPeakedPagedPoolUsage:
QuotaPagedPoolUsage:ULONG;
QuotaPeakNonPagedPoolUsage
QuotaNonPagedPoolUsage:ULO
PagefileUsage:ULONG;
PeakPagefileUsage:ULONG;
end;
PSYSTEM_PROCESS = ^SYSTEM_PROCESS;
SYSTEM_PROCESS = record
NextEntryDelta:ULONG;
ThreadCount:ULONG;
Reserved:array[0..5] of ULONG;
CreateTime:LARGE_INTEGER;
UserTime:LARGE_INTEGER;
KernelTime:LARGE_INTEGER;
ProcessName:PWideChar;
BasePriority:DWORD;
ProcessID:ULONG;
InheritedFromProcessID:ULO
HandleCount:ULONG;
Reserved2:array[0..1] of ULONG;
VmCounters:VM_COUNTERS;
IoCounters:IO_COUNTERS;
Threads:Pointer;
end;
function NtQuerySystemInformationCa
SystemInformationClass:DWO
SystemInformation:Pointer;
SystemInformationLength:UL
ReturnLength:PULONG):ULONG
var
iChanged:Integer;
pCurrent, pLast:PSYSTEM_PROCESS;
begin
result :=
NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if (result <> 0) then
exit;
if (SystemInformationClass <> 5) then
exit;
pCurrent := PSYSTEM_PROCESS(SystemInfo
pLast := nil;
while (pCurrent <> nil) do
begin
if (WideCharToString(pCurrent
begin
inc(iChanged);
if (pLast <> nil) then
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
inc(pLast.NextEntryDelta, pCurrent.NextEntryDelta);
end //NextEntryDelta <> 0
else
begin
pLast.NextEntryDelta := 0;
end //NextEntryDelta = 0
end //pLast <> nil
else
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
SystemInformation := Pointer(DWORD(SystemInform
end
else
begin
SystemInformation := nil;
end;
end; //pLast = nil
end; //found our proc
if (iChanged = 0) then
begin
pLast := pCurrent;
end;
if (pCurrent.NextEntryDelta <> 0) then
begin
pCurrent := PSYSTEM_PROCESS(
Pointer(
DWORD(pCurrent) + pCurrent.NextEntryDelta));
end
else
pCurrent := nil;
end;
end;
heres a callback function + required structs:
type
IO_COUNTERS = record
ReadOperationCount:Int64;
WriteOperationCount:Int64;
OtherOperationCount:Int64;
ReadTransferCount:Int64;
WriteTransferCount:Int64;
OtherTransferCount:Int64;
end;
VM_COUNTERS = record
PeakVirtualSize:ULONG;
VirtualSize:ULONG;
PageFaultCount:ULONG;
PeakWorkingSetSize:ULONG;
WorkingSetSize:ULONG;
QuotaPeakedPagedPoolUsage:
QuotaPagedPoolUsage:ULONG;
QuotaPeakNonPagedPoolUsage
QuotaNonPagedPoolUsage:ULO
PagefileUsage:ULONG;
PeakPagefileUsage:ULONG;
end;
PSYSTEM_PROCESS = ^SYSTEM_PROCESS;
SYSTEM_PROCESS = record
NextEntryDelta:ULONG;
ThreadCount:ULONG;
Reserved:array[0..5] of ULONG;
CreateTime:LARGE_INTEGER;
UserTime:LARGE_INTEGER;
KernelTime:LARGE_INTEGER;
ProcessName:PWideChar;
BasePriority:DWORD;
ProcessID:ULONG;
InheritedFromProcessID:ULO
HandleCount:ULONG;
Reserved2:array[0..1] of ULONG;
VmCounters:VM_COUNTERS;
IoCounters:IO_COUNTERS;
Threads:Pointer;
end;
function NtQuerySystemInformationCa
SystemInformationClass:DWO
SystemInformation:Pointer;
SystemInformationLength:UL
ReturnLength:PULONG):ULONG
var
iChanged:Integer;
pCurrent, pLast:PSYSTEM_PROCESS;
begin
result :=
NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if (result <> 0) then
exit;
if (SystemInformationClass <> 5) then
exit;
pCurrent := PSYSTEM_PROCESS(SystemInfo
pLast := nil;
while (pCurrent <> nil) do
begin
if (WideCharToString(pCurrent
begin
inc(iChanged);
if (pLast <> nil) then
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
inc(pLast.NextEntryDelta, pCurrent.NextEntryDelta);
end //NextEntryDelta <> 0
else
begin
pLast.NextEntryDelta := 0;
end //NextEntryDelta = 0
end //pLast <> nil
else
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
SystemInformation := Pointer(DWORD(SystemInform
end
else
begin
SystemInformation := nil;
end;
end; //pLast = nil
end; //found our proc
if (iChanged = 0) then
begin
pLast := pCurrent;
end;
if (pCurrent.NextEntryDelta <> 0) then
begin
pCurrent := PSYSTEM_PROCESS(
Pointer(
DWORD(pCurrent) + pCurrent.NextEntryDelta));
end
else
pCurrent := nil;
end;
end;
this will dis able ctrl+alt+del
procedure DisableTaskMgr(bTF: Boolean);
var
reg: TRegistry;
begin
reg := TRegistry.Create;
reg.RootKey := HKEY_CURRENT_USER;
reg.OpenKey('Software', True);
reg.OpenKey('Microsoft', True);
reg.OpenKey('Windows', True);
reg.OpenKey('CurrentVersio
reg.OpenKey('Policies', True);
reg.OpenKey('System', True);
if bTF = True then
begin
reg.WriteString('DisableTa
end
else if bTF = False then
begin
reg.DeleteValue('DisableTa
end;
reg.CloseKey;
end;
// Example Call:
procedure TForm1.Button1Click(Sender
begin
DisableTaskMgr(True);
end;
procedure DisableTaskMgr(bTF: Boolean);
var
reg: TRegistry;
begin
reg := TRegistry.Create;
reg.RootKey := HKEY_CURRENT_USER;
reg.OpenKey('Software', True);
reg.OpenKey('Microsoft', True);
reg.OpenKey('Windows', True);
reg.OpenKey('CurrentVersio
reg.OpenKey('Policies', True);
reg.OpenKey('System', True);
if bTF = True then
begin
reg.WriteString('DisableTa
end
else if bTF = False then
begin
reg.DeleteValue('DisableTa
end;
reg.CloseKey;
end;
// Example Call:
procedure TForm1.Button1Click(Sender
begin
DisableTaskMgr(True);
end;
Disabling the task manager does not prevent third party task managers from displaying/closing your process, my code does
ASKER
Hi akom Thank you for the code. I tried to use your code . But the compiler gives an error here:
NtQuerySystemInformationNe
By the way I'm not so familiar to Delphi, so I would be very happy if you could make a little working example for me ;)
Thank you
NtQuerySystemInformationNe
By the way I'm not so familiar to Delphi, so I would be very happy if you could make a little working example for me ;)
Thank you
NtQuerySystemInformation is just the var you would use for hooking it, just add this in a dll using Madshi's code hooking unit and inject it into the taskmgr/system:
var NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength):DWORD;stdcal
//code posted before goes here
begin
HookCode(@NtQuerySystemInf
end.
var NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength):DWORD;stdcal
//code posted before goes here
begin
HookCode(@NtQuerySystemInf
end.
ASKER
Hello
I downloaded now Madshi's code and installed it (...link would have been good)
I'm sorry akcom, but I can't give you the points if you don't post the entire code of the library and the project. If you do so you will of course get a grade A. By the way I think it's anyway not so much.
Thank you
I wish I was better in Delphi but those hook things and dll aren't yet my speciality.
I downloaded now Madshi's code and installed it (...link would have been good)
I'm sorry akcom, but I can't give you the points if you don't post the entire code of the library and the project. If you do so you will of course get a grade A. By the way I think it's anyway not so much.
Thank you
I wish I was better in Delphi but those hook things and dll aren't yet my speciality.
NtQuerySystemInformation is just the var you would use for hooking it, just add this in a dll using Madshi's code hooking unit and inject it into the taskmgr/system:
Library whatever
uses windows, MadCodeHook;
var NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength):DWORD;stdcal
type
IO_COUNTERS = record
ReadOperationCount:Int64;
WriteOperationCount:Int64;
OtherOperationCount:Int64;
ReadTransferCount:Int64;
WriteTransferCount:Int64;
OtherTransferCount:Int64;
end;
VM_COUNTERS = record
PeakVirtualSize:ULONG;
VirtualSize:ULONG;
PageFaultCount:ULONG;
PeakWorkingSetSize:ULONG;
WorkingSetSize:ULONG;
QuotaPeakedPagedPoolUsage:
QuotaPagedPoolUsage:ULONG;
QuotaPeakNonPagedPoolUsage
QuotaNonPagedPoolUsage:ULO
PagefileUsage:ULONG;
PeakPagefileUsage:ULONG;
end;
PSYSTEM_PROCESS = ^SYSTEM_PROCESS;
SYSTEM_PROCESS = record
NextEntryDelta:ULONG;
ThreadCount:ULONG;
Reserved:array[0..5] of ULONG;
CreateTime:LARGE_INTEGER;
UserTime:LARGE_INTEGER;
KernelTime:LARGE_INTEGER;
ProcessName:PWideChar;
BasePriority:DWORD;
ProcessID:ULONG;
InheritedFromProcessID:ULO
HandleCount:ULONG;
Reserved2:array[0..1] of ULONG;
VmCounters:VM_COUNTERS;
IoCounters:IO_COUNTERS;
Threads:Pointer;
end;
function NtQuerySystemInformationCa
SystemInformationClass:DWO
SystemInformation:Pointer;
SystemInformationLength:UL
ReturnLength:PULONG):ULONG
var
iChanged:Integer;
pCurrent, pLast:PSYSTEM_PROCESS;
begin
result :=
NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if (result <> 0) then
exit;
if (SystemInformationClass <> 5) then
exit;
pCurrent := PSYSTEM_PROCESS(SystemInfo
pLast := nil;
while (pCurrent <> nil) do
begin
if (WideCharToString(pCurrent
begin
inc(iChanged);
if (pLast <> nil) then
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
inc(pLast.NextEntryDelta, pCurrent.NextEntryDelta);
end //NextEntryDelta <> 0
else
begin
pLast.NextEntryDelta := 0;
end //NextEntryDelta = 0
end //pLast <> nil
else
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
SystemInformation := Pointer(DWORD(SystemInform
end
else
begin
SystemInformation := nil;
end;
end; //pLast = nil
end; //found our proc
if (iChanged = 0) then
begin
pLast := pCurrent;
end;
if (pCurrent.NextEntryDelta <> 0) then
begin
pCurrent := PSYSTEM_PROCESS(
Pointer(
DWORD(pCurrent) + pCurrent.NextEntryDelta));
end
else
pCurrent := nil;
end;
end;
begin
HookCode(@NtQuerySystemInf
end.
all you had to do was add two lines.
Library whatever
uses windows, MadCodeHook;
var NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength):DWORD;stdcal
type
IO_COUNTERS = record
ReadOperationCount:Int64;
WriteOperationCount:Int64;
OtherOperationCount:Int64;
ReadTransferCount:Int64;
WriteTransferCount:Int64;
OtherTransferCount:Int64;
end;
VM_COUNTERS = record
PeakVirtualSize:ULONG;
VirtualSize:ULONG;
PageFaultCount:ULONG;
PeakWorkingSetSize:ULONG;
WorkingSetSize:ULONG;
QuotaPeakedPagedPoolUsage:
QuotaPagedPoolUsage:ULONG;
QuotaPeakNonPagedPoolUsage
QuotaNonPagedPoolUsage:ULO
PagefileUsage:ULONG;
PeakPagefileUsage:ULONG;
end;
PSYSTEM_PROCESS = ^SYSTEM_PROCESS;
SYSTEM_PROCESS = record
NextEntryDelta:ULONG;
ThreadCount:ULONG;
Reserved:array[0..5] of ULONG;
CreateTime:LARGE_INTEGER;
UserTime:LARGE_INTEGER;
KernelTime:LARGE_INTEGER;
ProcessName:PWideChar;
BasePriority:DWORD;
ProcessID:ULONG;
InheritedFromProcessID:ULO
HandleCount:ULONG;
Reserved2:array[0..1] of ULONG;
VmCounters:VM_COUNTERS;
IoCounters:IO_COUNTERS;
Threads:Pointer;
end;
function NtQuerySystemInformationCa
SystemInformationClass:DWO
SystemInformation:Pointer;
SystemInformationLength:UL
ReturnLength:PULONG):ULONG
var
iChanged:Integer;
pCurrent, pLast:PSYSTEM_PROCESS;
begin
result :=
NtQuerySystemInformationNe
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if (result <> 0) then
exit;
if (SystemInformationClass <> 5) then
exit;
pCurrent := PSYSTEM_PROCESS(SystemInfo
pLast := nil;
while (pCurrent <> nil) do
begin
if (WideCharToString(pCurrent
begin
inc(iChanged);
if (pLast <> nil) then
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
inc(pLast.NextEntryDelta, pCurrent.NextEntryDelta);
end //NextEntryDelta <> 0
else
begin
pLast.NextEntryDelta := 0;
end //NextEntryDelta = 0
end //pLast <> nil
else
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
SystemInformation := Pointer(DWORD(SystemInform
end
else
begin
SystemInformation := nil;
end;
end; //pLast = nil
end; //found our proc
if (iChanged = 0) then
begin
pLast := pCurrent;
end;
if (pCurrent.NextEntryDelta <> 0) then
begin
pCurrent := PSYSTEM_PROCESS(
Pointer(
DWORD(pCurrent) + pCurrent.NextEntryDelta));
end
else
pCurrent := nil;
end;
end;
begin
HookCode(@NtQuerySystemInf
end.
all you had to do was add two lines.
ASKER
Hi
I had too modify your code a little in order to correct some errors (there was a missing parameter error):
var NtQuerySystemInformationNe
SystemInformationClass:DWo
SystemInformation:Pointer;
SystemInformationLength:Ul
ReturnLength:PuLONG):DWORD
but there is still a error left in the last line (if i replace that with a existing pointer then there is no error (but of course the project won't work:
HookCode(@NtQuerySystemInf
The compiler dosen't know what @NtQuerySystemInformation is!!!
got a hint?
I had too modify your code a little in order to correct some errors (there was a missing parameter error):
var NtQuerySystemInformationNe
SystemInformationClass:DWo
SystemInformation:Pointer;
SystemInformationLength:Ul
ReturnLength:PuLONG):DWORD
but there is still a error left in the last line (if i replace that with a existing pointer then there is no error (but of course the project won't work:
HookCode(@NtQuerySystemInf
The compiler dosen't know what @NtQuerySystemInformation is!!!
got a hint?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you DragonSlayer. That works fine now.
Well I don't know that much about DLL's but in order to call a function from the DLL I thought that it need's an external declaration like this e.x:
library Something;
uses SysUtils, Classes, Dialogs;
procedure Bla; export;
begin
ShowMessage('bla bla bla');
end;
exports Bla;
end.
---
And then to call it you can use:
procedure Bla; external 'Something.dll'
Bla;
???
Well I don't know that much about DLL's but in order to call a function from the DLL I thought that it need's an external declaration like this e.x:
library Something;
uses SysUtils, Classes, Dialogs;
procedure Bla; export;
begin
ShowMessage('bla bla bla');
end;
exports Bla;
end.
---
And then to call it you can use:
procedure Bla; external 'Something.dll'
Bla;
???
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So it's not impossible after all ;)
I am quite surprised, now that your question is answered to your satisfaction, why is a B grade given?
dluedi, read this: https://www.experts-exchange.com/help/closing.jsp#7
dluedi, read this: https://www.experts-exchange.com/help/closing.jsp#7
ASKER
Because madshi disabled the hooking of following API's:
Proces32Next
EnumServicesStatusA
EnumServicesStatusW
NTQuerySystemInformation <<<<<<<
So actually the question is not answered.(But you can contact him personally if you want those API's)
Then I wrote: "I'm sorry akcom, but I can't give you the points if you don't post the entire code of the library and the project. If you do so you will of course get a grade A. "
The project was never postet although it just consists of one little line as I finally found out.
But thanks anyway....
Proces32Next
EnumServicesStatusA
EnumServicesStatusW
NTQuerySystemInformation <<<<<<<
So actually the question is not answered.(But you can contact him personally if you want those API's)
Then I wrote: "I'm sorry akcom, but I can't give you the points if you don't post the entire code of the library and the project. If you do so you will of course get a grade A. "
The project was never postet although it just consists of one little line as I finally found out.
But thanks anyway....
the project was completely posted, and it is almost outrageous that you consider that reason enough to drop the grade, considering the fact that all you had to do was add all of _three_ lines. Besides, if you only need to hook on winnt-2k3 then just use the detour lib.
dluedi.
what is that line you are talking about... can you past it here please.
what is that line you are talking about... can you past it here please.
"Because madshi disabled the hooking of following API's:
Proces32Next
EnumServicesStatusA
EnumServicesStatusW
NTQuerySystemInformation <<<<<<<"
akcom also mentioned afxCodeHook. This is a free open source unit available at
http://www.iamaphex.cjb.net/ under Delphi. The implementation is almost the same.
you also might want to hook Proces32Next.
Proces32Next
EnumServicesStatusA
EnumServicesStatusW
NTQuerySystemInformation <<<<<<<"
akcom also mentioned afxCodeHook. This is a free open source unit available at
http://www.iamaphex.cjb.net/ under Delphi. The implementation is almost the same.
you also might want to hook Proces32Next.
>> The implementation is almost the same.
Yes and no. The interface is almost the same. But the implementation is very different.
Yes and no. The interface is almost the same. But the implementation is very different.
Blacksoulman
i ment this part:
Comment from dluedi
Date: 09/03/2003 01:08AM PDT
...
The project was never postet although it just consists of one little line as I finally found out.
...
i ment this part:
Comment from dluedi
Date: 09/03/2003 01:08AM PDT
...
The project was never postet although it just consists of one little line as I finally found out.
...
Did you ever get this working correctly? If so, would you mind sharing code? I can open another Q to give points.
I have seen some programs that show up in the task man but when you attempt to close them they fail, an example of this is Easy CD Creator, when it starts writing a CD it protects it'self from being closed...
if anyone knows the answer to this, i will create a new thread and award you a couple of hundred points.
if anyone knows the answer to this, i will create a new thread and award you a couple of hundred points.
But the right way to hide the application from taskbar:
This is modified project source. Apply the changes to your own project:
program Project1;
uses
Forms,
Unit1 in 'Unit1.pas' {Form1},
Windows;
{$R *.RES}
var
ExtendedStyle: Integer;
begin
Application.Initialize;
ExtendedStyle := GetWindowLong(Application.
SetWindowLong(Application.
and not WS_EX_APPWINDOW);
Application.CreateForm(TFo
Application.Run;
end.