Solved

Hide from NT Process List. (+4000 Points)

Posted on 2002-04-15
33
436 Views
Last Modified: 2010-04-04
Hello.

I've been looking for and trying to create myself, an application that can hide itself from the NT process list.  I know that this can be done as I have a program that does it.  (PC Activity Monitor - you see the monitor application start up and disappear immediately.)

If it's possible to have a DLL execute and remain resident after the calling EXE completes, this will probably suffice, but as long as the end result is 100%, I don't care on the method.

I know 75 points is not a lot for this, but that's all I currently have.  I have 1000 points due to me for filling out the current survey, and I will willingly give these (multiplied by 4 for an excellent grade) for a 100% solution to this question.

Bob Hoskins
(Actor Extrordinaire)
0
Comment
Question by:Bob_Hoskins
  • 11
  • 6
  • 4
  • +9
33 Comments
 
LVL 1

Expert Comment

by:MoonCalf
Comment Utility
I've tried this before so I'm definately listening....
0
 
LVL 27

Expert Comment

by:kretzschmar
Comment Utility
a job for madshi, i guess
listening also . . .
0
 
LVL 6

Expert Comment

by:Jaymol
Comment Utility
Lots of points.  Are we going to see a real solution this time?

John.
0
 
LVL 2

Expert Comment

by:dMa
Comment Utility
The answer depends on the operating system. On Win9x, where the task list is the one shown by pressing Ctrl-Alt-Del, you can hide your application by registering it as a Service, via the RegisterServiceProcess() api. On NT it's impossible by using this function.
I will see for any possibility to do it , i think one of it is to register you application as Exporer many viruses hiden own process like this.
tip.: search for source's on hacker url's they have many virus-listings if you understand assembler language:)


0
 
LVL 9

Expert Comment

by:ginsonic
Comment Utility
Ups!
0
 
LVL 16

Expert Comment

by:AlexNek
Comment Utility
2 Bob_Hoskins
One well know solution is:
RegisterServiceProcess(GetCurrentProcessID, 1);

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win32/95func_3t0z.asp

But it doesn't work in all OS.
0
 
LVL 44

Expert Comment

by:bruintje
Comment Utility
listening
0
 
LVL 12

Expert Comment

by:Lee_Nover
Comment Utility
depends what your app has to do
you could basically make an activex dll
for instance an IShellExecuteHook
you launch your own filetype and check the file you ran
then do whatever your "app" has to do ...
I haven't tested this ... only wrote it quickly
it compiled ok ...
in order to work you need to register the filetype you want
this was just one of the ideas I thought of
maybe something else will also come to mind :)
here's the link to the sources:
http://lee.nover.has.his.evilside.org/isapi/pas2html.dll/pas2html?File=/delphi/MiscFiles/IShellExecuteVirtualApp/
this is on my machine so if someone can put it on a more stable server it would be great :)

hope this helps at all
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
Hi Guys.

Thanks for comments so far, but still waiting for an answer.

Yes, I am working on NT (as it says in the question).  I think people should try looking at this from another angle - I'm not asking how to hide an application from the operating system - just the task manager.

I saw a question recently that used a listview macro to read a listview from another program.  Would it be possible to trap the redraw message of the task manager's listview and remove the item before the listview is visibly refreshed?  (This is purely an idea though.)

Any other ideas are more than welcome, but when complete, I want to be able to copy code directly from here to my application and that's all I have to do.

Thank you,

Bob Hoskins
Actor Extrordinaire
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
Lee_Nover : I appreciate the time and effort on your part, but I don't even know if that code was relevant as there's no instructions on using it whatsoever.

Please, 4000 points is a lot, and it's not a lot to ask in return for well documented and tested code.

Bob Hoskins.
0
 
LVL 12

Expert Comment

by:Lee_Nover
Comment Utility
I'm not in for the points
I just like to help on interesting topics
anyway I'm gonna try out the thing I wrote and if it works well I'll comment the code
about your suggestion to hook the taskmanagers listview .. I'll check into that also
an interesting idea :)
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
Thanks Lee.  By the way - Girls Kissing?  NICE!!!

Bob Hoskins.
0
 
LVL 20

Accepted Solution

by:
Madshi earned 75 total points
Comment Utility
You have several possibilities, but they're not nice altogether:

(1) After your program has started, you can try to copy your program into the context of another process and execute it there as a remote thread (CreateRemoteThread). This approach is used by bo2k. It's quite difficult, though. No idea, if it's actually possible with Delphi, never tried that yet.

(2) You could put all your program into a dll and inject that dll into another process. That's relatively easy, you can e.g. use my package "madRemote", with which you  can simply call "InjectLibrary(processHandle, 'c:\yourPath\yourDll.dll')" to inject your dll into any running process.

(3) You could set up a cbt or shell hook (SetWindowsHookEx) to be notified about the creation of the task manager window. After you have that handle you can hook into that process and do whatever you like with it. E.g. you could hook the process enumeration APIs inside of the task manager or hook the output directly (e.g. by hooking the list view or whatever control that is).

For all solutions you need enough privileges, maybe the current user must even have adminitrator rights, not sure about that...

Sorry, I can't really do much more than talk about how you could do it. You will have to do the work yourself. The easiest way would probably do to inject a dll into another process.

Regards, Madshi.
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
Thanks Madshi.  Where can I get a copy of madRemote?  I'll give it a go.

Bob Hoskins.
0
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
Ooooooop, sorry, totally forgot to mention that. And I also was confused about my own packages...   :-(   You need madCodeHook + madRemote, sorry...

Here is my homepage, both madRemote and madCodeHook are free for non-commercial usage (but without sources):

http://www.madshi.net

Here is the online documentation:

http://help.madshi.net/Data/madCodeHook.htm

Regards, Madshi.
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
Thanks Madshi.

----------------------------------------------------------
(3) You could set up a cbt or shell hook (SetWindowsHookEx) to be notified about the creation of the task manager window. After you have that handle you can hook into that process and do whatever you like
with it. E.g. you could hook the process enumeration APIs inside of the task manager or hook the output
directly (e.g. by hooking the list view or whatever control that is).
----------------------------------------------------------

That sounds very good to me.  Perfect, in fact.  Like I said - it doesn't have to be really hidden - just from the task manager.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Bob_Hoskins
Comment Utility
Can anyone here give me code to do just that?

Bob Hoskins.
0
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
Well, hooking APIs is not too easy. You will probably have to hook NtQuerySystemInformation, that's the lowest level of process enumeration. All other process enumeration APIs (and there are several) end up in NtQuerySystemInformation. You can try to use import table patching, but I'm not sure whether that is good enough. The best API hooking method is what my package madCodeHook uses (namely extended code overwriting).

If the output control is really a list view, life is a bit easier for you. In that case you probably have to subclass the list view control, then you can filter out the list view messages that adds your process to the list. Hopefully the task manager gets along with that. It could very well be, that the indexes get confused this way - that would be bad! You'll have to try...

Regards, Madshi.
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
Madshi, thanks but I don't even know what that means.  I need someone to code it for me.  I know you can't do it at the moment so I thank you for the methodology.

Bob Hoskins.
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
No more comments?

Bob Hoskins.
0
 
LVL 7

Expert Comment

by:God_Ares
Comment Utility
i think you should accept Madshi's comment as an answer, like Madshi said you have to do the work for yourself. just start and you'll get there.
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
I'm not accepting it as an answer as I have asked for code.

I understand where you're coming from but if I don't get fully tested code for this question then I won't accept an answer.  That is what I've asked for : )

Bob Hoskins.
0
 
LVL 27

Expert Comment

by:kretzschmar
Comment Utility
well for 4000 points,
there could be someone,
which does this for you
(not me)

meikl ;-)
0
 
LVL 12

Expert Comment

by:Lee_Nover
Comment Utility
bob could you wait a day or two ?
really busy at the moment
hooking the task list shouldn't be that hard as I've done stuff like that before
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
Thanks Lee - I can gladly wait.  I look forward to your code!

Bob Hoskins
0
 
LVL 7

Expert Comment

by:God_Ares
Comment Utility
Madshi does your inject dll code goes somthing like

SendMessageCallback




function callbacl
{
  loadlibary

}

?
0
 
LVL 20

Expert Comment

by:Madshi
Comment Utility
God_Ares, no, I'm using CreateRemoteThread. Works much better/faster/more reliable - and also for window-less applications. It works even for crashed/frozen applications...   :-)
0
 
LVL 12

Expert Comment

by:Lee_Nover
Comment Utility
bob : don't want to alarm you ... I tried a quick process ListView 'hack' but it just crashed the task manager :)
it was a quick "go at it" in my spare time
the idea was to simply : get the listview handle, find the entry of our process, delete it :)
will work on it today/tomorrow
getting realy interesting :)
0
 
LVL 12

Expert Comment

by:Lee_Nover
Comment Utility
the ListView is 'booby trapped'
anything I tried simply crashed task manager

you can try the code:

uses CommCtrl;

var hLV: HWND;

function FindLVItem(Handle: Integer; const Text: string): Integer;
var Info: TLVFindInfo;
    I, cnt: Integer;
    lpBuff: PChar;
begin
//     FillChar(Info, SizeOf(TLVFindInfo), 0);
//     Info.flags:=LVFI_STRING;
//     Info.psz:=PChar(Text);
//     Result:=ListView_FindItem(Handle, -1, Info);
     cnt:=ListView_GetItemCount(Handle);
     Result:=-1;
     GetMem(lpBuff, 50);
     for I:=0 to cnt-1 do begin
         ListView_GetItemText(Handle, I, 0, lpBuff, 50);
         if string(lpBuff) = Text then begin
            Result:=I;
            break;
         end;
     end;
     FreeMem(lpBuff);
end;

procedure TForm1.Button1Click(Sender: TObject);
var hTaskWnd, hTab, hProcsWnd: HWND;
    i: Integer;
    fn: string;
begin
     hTaskWnd:=FindWindow(nil, 'Windows Task Manager');
     hTab:=0;
     repeat
       hTab:=FindWindowEx(hTaskWnd, hTab, nil, nil);
       hProcsWnd:=FindWindowEx(hTab, 0, nil, 'Processes');
     until (hTab < 1)or(hProcsWnd > 0);

     if hProcsWnd < 1 then exit;
     Caption:=IntToHex(hProcsWnd, 8);

     fn:=ExtractFileName(ParamStr(0));
     I:=FindLVItem(hProcsWnd, fn);

     exit;

     if I > -1 then
        ListView_DeleteItem(hLV, I);
end;

maybe with "Injecting" a dll and then calling the messages would work
or try to "hook" the EnumProcess functions

...
0
 
LVL 1

Expert Comment

by:pnh73
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept answer from Madshi

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
Paul (pnh73)
EE Cleanup Volunteer
0
 

Author Comment

by:Bob_Hoskins
Comment Utility
I've accepted a comment from Madshi, as requested, but I'm NOT giving any more points for an answer that does not include code which is what I asked for all along.

I should never have been told to accept an answer in the first place.
0
 
LVL 12

Expert Comment

by:Lee_Nover
Comment Utility
accepting the answer was a suggestion, you still could've deleted, PAQ-ed it or left it alone
0
 
LVL 1

Expert Comment

by:pnh73
Comment Utility
That suggestion would have been followed by the moderation team unless any (successful) objections were raised.

Paul (pnh73)
EE Cleanup Volunteer
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now