Solved

Hide from NT Process List. (+4000 Points)

Posted on 2002-04-15
33
441 Views
Last Modified: 2010-04-04
Hello.

I've been looking for and trying to create myself, an application that can hide itself from the NT process list.  I know that this can be done as I have a program that does it.  (PC Activity Monitor - you see the monitor application start up and disappear immediately.)

If it's possible to have a DLL execute and remain resident after the calling EXE completes, this will probably suffice, but as long as the end result is 100%, I don't care on the method.

I know 75 points is not a lot for this, but that's all I currently have.  I have 1000 points due to me for filling out the current survey, and I will willingly give these (multiplied by 4 for an excellent grade) for a 100% solution to this question.

Bob Hoskins
(Actor Extrordinaire)
0
Comment
Question by:Bob_Hoskins
  • 11
  • 6
  • 4
  • +9
33 Comments
 
LVL 1

Expert Comment

by:MoonCalf
ID: 6941801
I've tried this before so I'm definately listening....
0
 
LVL 27

Expert Comment

by:kretzschmar
ID: 6941843
a job for madshi, i guess
listening also . . .
0
 
LVL 6

Expert Comment

by:Jaymol
ID: 6941851
Lots of points.  Are we going to see a real solution this time?

John.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Expert Comment

by:dMa
ID: 6942297
The answer depends on the operating system. On Win9x, where the task list is the one shown by pressing Ctrl-Alt-Del, you can hide your application by registering it as a Service, via the RegisterServiceProcess() api. On NT it's impossible by using this function.
I will see for any possibility to do it , i think one of it is to register you application as Exporer many viruses hiden own process like this.
tip.: search for source's on hacker url's they have many virus-listings if you understand assembler language:)


0
 
LVL 9

Expert Comment

by:ginsonic
ID: 6942423
Ups!
0
 
LVL 16

Expert Comment

by:AlexNek
ID: 6942839
2 Bob_Hoskins
One well know solution is:
RegisterServiceProcess(GetCurrentProcessID, 1);

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win32/95func_3t0z.asp

But it doesn't work in all OS.
0
 
LVL 44

Expert Comment

by:bruintje
ID: 6942961
listening
0
 
LVL 12

Expert Comment

by:Lee_Nover
ID: 6943293
depends what your app has to do
you could basically make an activex dll
for instance an IShellExecuteHook
you launch your own filetype and check the file you ran
then do whatever your "app" has to do ...
I haven't tested this ... only wrote it quickly
it compiled ok ...
in order to work you need to register the filetype you want
this was just one of the ideas I thought of
maybe something else will also come to mind :)
here's the link to the sources:
http://lee.nover.has.his.evilside.org/isapi/pas2html.dll/pas2html?File=/delphi/MiscFiles/IShellExecuteVirtualApp/
this is on my machine so if someone can put it on a more stable server it would be great :)

hope this helps at all
0
 

Author Comment

by:Bob_Hoskins
ID: 6944082
Hi Guys.

Thanks for comments so far, but still waiting for an answer.

Yes, I am working on NT (as it says in the question).  I think people should try looking at this from another angle - I'm not asking how to hide an application from the operating system - just the task manager.

I saw a question recently that used a listview macro to read a listview from another program.  Would it be possible to trap the redraw message of the task manager's listview and remove the item before the listview is visibly refreshed?  (This is purely an idea though.)

Any other ideas are more than welcome, but when complete, I want to be able to copy code directly from here to my application and that's all I have to do.

Thank you,

Bob Hoskins
Actor Extrordinaire
0
 

Author Comment

by:Bob_Hoskins
ID: 6944417
Lee_Nover : I appreciate the time and effort on your part, but I don't even know if that code was relevant as there's no instructions on using it whatsoever.

Please, 4000 points is a lot, and it's not a lot to ask in return for well documented and tested code.

Bob Hoskins.
0
 
LVL 12

Expert Comment

by:Lee_Nover
ID: 6944575
I'm not in for the points
I just like to help on interesting topics
anyway I'm gonna try out the thing I wrote and if it works well I'll comment the code
about your suggestion to hook the taskmanagers listview .. I'll check into that also
an interesting idea :)
0
 

Author Comment

by:Bob_Hoskins
ID: 6944584
Thanks Lee.  By the way - Girls Kissing?  NICE!!!

Bob Hoskins.
0
 
LVL 20

Accepted Solution

by:
Madshi earned 75 total points
ID: 6944709
You have several possibilities, but they're not nice altogether:

(1) After your program has started, you can try to copy your program into the context of another process and execute it there as a remote thread (CreateRemoteThread). This approach is used by bo2k. It's quite difficult, though. No idea, if it's actually possible with Delphi, never tried that yet.

(2) You could put all your program into a dll and inject that dll into another process. That's relatively easy, you can e.g. use my package "madRemote", with which you  can simply call "InjectLibrary(processHandle, 'c:\yourPath\yourDll.dll')" to inject your dll into any running process.

(3) You could set up a cbt or shell hook (SetWindowsHookEx) to be notified about the creation of the task manager window. After you have that handle you can hook into that process and do whatever you like with it. E.g. you could hook the process enumeration APIs inside of the task manager or hook the output directly (e.g. by hooking the list view or whatever control that is).

For all solutions you need enough privileges, maybe the current user must even have adminitrator rights, not sure about that...

Sorry, I can't really do much more than talk about how you could do it. You will have to do the work yourself. The easiest way would probably do to inject a dll into another process.

Regards, Madshi.
0
 

Author Comment

by:Bob_Hoskins
ID: 6944713
Thanks Madshi.  Where can I get a copy of madRemote?  I'll give it a go.

Bob Hoskins.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6944719
Ooooooop, sorry, totally forgot to mention that. And I also was confused about my own packages...   :-(   You need madCodeHook + madRemote, sorry...

Here is my homepage, both madRemote and madCodeHook are free for non-commercial usage (but without sources):

http://www.madshi.net

Here is the online documentation:

http://help.madshi.net/Data/madCodeHook.htm

Regards, Madshi.
0
 

Author Comment

by:Bob_Hoskins
ID: 6944740
Thanks Madshi.

----------------------------------------------------------
(3) You could set up a cbt or shell hook (SetWindowsHookEx) to be notified about the creation of the task manager window. After you have that handle you can hook into that process and do whatever you like
with it. E.g. you could hook the process enumeration APIs inside of the task manager or hook the output
directly (e.g. by hooking the list view or whatever control that is).
----------------------------------------------------------

That sounds very good to me.  Perfect, in fact.  Like I said - it doesn't have to be really hidden - just from the task manager.
0
 

Author Comment

by:Bob_Hoskins
ID: 6944742
Can anyone here give me code to do just that?

Bob Hoskins.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6944817
Well, hooking APIs is not too easy. You will probably have to hook NtQuerySystemInformation, that's the lowest level of process enumeration. All other process enumeration APIs (and there are several) end up in NtQuerySystemInformation. You can try to use import table patching, but I'm not sure whether that is good enough. The best API hooking method is what my package madCodeHook uses (namely extended code overwriting).

If the output control is really a list view, life is a bit easier for you. In that case you probably have to subclass the list view control, then you can filter out the list view messages that adds your process to the list. Hopefully the task manager gets along with that. It could very well be, that the indexes get confused this way - that would be bad! You'll have to try...

Regards, Madshi.
0
 

Author Comment

by:Bob_Hoskins
ID: 6944833
Madshi, thanks but I don't even know what that means.  I need someone to code it for me.  I know you can't do it at the moment so I thank you for the methodology.

Bob Hoskins.
0
 

Author Comment

by:Bob_Hoskins
ID: 6947358
No more comments?

Bob Hoskins.
0
 
LVL 7

Expert Comment

by:God_Ares
ID: 6947457
i think you should accept Madshi's comment as an answer, like Madshi said you have to do the work for yourself. just start and you'll get there.
0
 

Author Comment

by:Bob_Hoskins
ID: 6947470
I'm not accepting it as an answer as I have asked for code.

I understand where you're coming from but if I don't get fully tested code for this question then I won't accept an answer.  That is what I've asked for : )

Bob Hoskins.
0
 
LVL 27

Expert Comment

by:kretzschmar
ID: 6947482
well for 4000 points,
there could be someone,
which does this for you
(not me)

meikl ;-)
0
 
LVL 12

Expert Comment

by:Lee_Nover
ID: 6947490
bob could you wait a day or two ?
really busy at the moment
hooking the task list shouldn't be that hard as I've done stuff like that before
0
 

Author Comment

by:Bob_Hoskins
ID: 6949795
Thanks Lee - I can gladly wait.  I look forward to your code!

Bob Hoskins
0
 
LVL 7

Expert Comment

by:God_Ares
ID: 6950100
Madshi does your inject dll code goes somthing like

SendMessageCallback




function callbacl
{
  loadlibary

}

?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6951908
God_Ares, no, I'm using CreateRemoteThread. Works much better/faster/more reliable - and also for window-less applications. It works even for crashed/frozen applications...   :-)
0
 
LVL 12

Expert Comment

by:Lee_Nover
ID: 6952230
bob : don't want to alarm you ... I tried a quick process ListView 'hack' but it just crashed the task manager :)
it was a quick "go at it" in my spare time
the idea was to simply : get the listview handle, find the entry of our process, delete it :)
will work on it today/tomorrow
getting realy interesting :)
0
 
LVL 12

Expert Comment

by:Lee_Nover
ID: 6957684
the ListView is 'booby trapped'
anything I tried simply crashed task manager

you can try the code:

uses CommCtrl;

var hLV: HWND;

function FindLVItem(Handle: Integer; const Text: string): Integer;
var Info: TLVFindInfo;
    I, cnt: Integer;
    lpBuff: PChar;
begin
//     FillChar(Info, SizeOf(TLVFindInfo), 0);
//     Info.flags:=LVFI_STRING;
//     Info.psz:=PChar(Text);
//     Result:=ListView_FindItem(Handle, -1, Info);
     cnt:=ListView_GetItemCount(Handle);
     Result:=-1;
     GetMem(lpBuff, 50);
     for I:=0 to cnt-1 do begin
         ListView_GetItemText(Handle, I, 0, lpBuff, 50);
         if string(lpBuff) = Text then begin
            Result:=I;
            break;
         end;
     end;
     FreeMem(lpBuff);
end;

procedure TForm1.Button1Click(Sender: TObject);
var hTaskWnd, hTab, hProcsWnd: HWND;
    i: Integer;
    fn: string;
begin
     hTaskWnd:=FindWindow(nil, 'Windows Task Manager');
     hTab:=0;
     repeat
       hTab:=FindWindowEx(hTaskWnd, hTab, nil, nil);
       hProcsWnd:=FindWindowEx(hTab, 0, nil, 'Processes');
     until (hTab < 1)or(hProcsWnd > 0);

     if hProcsWnd < 1 then exit;
     Caption:=IntToHex(hProcsWnd, 8);

     fn:=ExtractFileName(ParamStr(0));
     I:=FindLVItem(hProcsWnd, fn);

     exit;

     if I > -1 then
        ListView_DeleteItem(hLV, I);
end;

maybe with "Injecting" a dll and then calling the messages would work
or try to "hook" the EnumProcess functions

...
0
 
LVL 1

Expert Comment

by:pnh73
ID: 9003235
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept answer from Madshi

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
Paul (pnh73)
EE Cleanup Volunteer
0
 

Author Comment

by:Bob_Hoskins
ID: 9003283
I've accepted a comment from Madshi, as requested, but I'm NOT giving any more points for an answer that does not include code which is what I asked for all along.

I should never have been told to accept an answer in the first place.
0
 
LVL 12

Expert Comment

by:Lee_Nover
ID: 9003387
accepting the answer was a suggestion, you still could've deleted, PAQ-ed it or left it alone
0
 
LVL 1

Expert Comment

by:pnh73
ID: 9004765
That suggestion would have been followed by the moderation team unless any (successful) objections were raised.

Paul (pnh73)
EE Cleanup Volunteer
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question