Solved

How to hide process under NT/2000/XP (VC++) ???

Posted on 2002-06-07
35
4,897 Views
Last Modified: 2013-12-03
Hi,
i am searching sample code to hide my application of the view of taskmanager app (and other process viewers) under Windows NT/2000/XP.
A sample code in MSVC++ and points go to you.
Thanxxxxxx for your precious help !
0
Comment
Question by:tradinfo
  • 13
  • 9
  • 3
  • +4
35 Comments
 
LVL 8

Expert Comment

by:fl0yd
Comment Utility
I'm just guessing here, but you are trying to create an application that is totally cloaked, i.e. noone will ever notice it's there. Now I'm asking myself why you are asking for this behaviour... could it be that you're trying to do something malicious to someone's system? Please tell us what you are after. The resemblance to a stealth fighter should be close enough, to make any reflecting human being reluctant to give away info.
0
 

Author Comment

by:tradinfo
Comment Utility
i am working on a security application and the aim is to "protect the innocents" not "f**k everybody"...
And to have a real protection, I need a way to secure my own application first from "malicious" people who would like disable this app and try to pass through this app...
That's why i am asking you such a question. Nothing bad in my question, just a real question of a real coder for a real problem...
So thanxxx for all people who'll be able to answer my question and gimme a solution and a sample code...
send it to me by email if you don't want to give this solution to every one else :

{{obscenity masked and email address  removed -- DanRollins / EE Page Editor }}

thanx.
0
 
LVL 8

Expert Comment

by:fl0yd
Comment Utility
No offence intended. But I'd rather be safe than sorry. Just wanted to make sure what you're after. I came across your homepage -- even though I couldn't read it (it's in french only :( ) I believe that you actually want to "protect the innocent".

Now for your problem: I'm not sure whether this is possible at all. If you want an application to run you need to create a process for it and thus it will show up in any process viewer. You could possibly inject it into some other application's process but I have never done anything similar before so I can't provide you with any help there.
What you are really after is a way to make sure that your application cannot be terminated unless the entire system is shut down. What if you relaunch your application if someone tries to terminate it. Unless this someone is the system itself requesting a shutdown your app should keep going. Does that sound like a step in the right direction?
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Implement your application as a SERVICE.  Advantages here:

1) Services do NOT appear in the task manager.

2) Only privileged users can add/modify/delete services.

3) Services run (usually) under the local system account which has the kind of privilege you need to "protect" things.

4) "Malicious" users CANNOT stop a service from doing its thing.
0
 

Author Comment

by:tradinfo
Comment Utility
My MFC application is written for Win95/98. I already have a test to know which OS is running, and I'd like to know if there is a sample somewhere to launch my app as a service when i detect NT/2K/XP OS...
Another way should be to refuse the shtudown when a user tries to kill my process under the 'ProcessManager' but I don't know how to do this...
Help thx...
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Wait a minute, you said: "Windows NT/2000/XP".  Now you say Win95/98.  Which is it?  It makes a BIG difference!

Perhaps you should rephrase the entire question and include ALL relevant information this time.
0
 

Author Comment

by:tradinfo
Comment Utility
Well here is the problem, sorry for my bad english:
1. I have written an MFC application which runs fine under Win95/98/NT/2000/XP. I have been able to hide from ProcessMgr my application under Win95/98 OSes, but under NT/2K/XP my app is visible under the ProcessManager.
So my question is: How can I hide my app from the process manager when I run it under NT/2K/XP ???
Thanx for your help.
0
 
LVL 6

Expert Comment

by:MichaelS
Comment Utility
If you detect not 9x OS than you can run that code

HMODULE hModule = LoadLibrary("kernel32.dll");

DWORD (_stdcall* pFunction)(DWORD, DWORD);
pFunction = (DWORD(_stdcall*)(DWORD, DWORD))GetProcAddress(hModule, "RegisterServiceProcess");

if(pFunction)
    pFunction(NULL, 1);
0
 
LVL 6

Expert Comment

by:MichaelS
Comment Utility
Oops, that is NOT for NT/2k/XP :(
0
 
LVL 6

Expert Comment

by:MichaelS
Comment Utility
Take a loot at
http://www.codeguru.com/system/index.shtml
may be it will give you some ideas about how to "hide" you process. Actually I don't know how to hide and not sure that it's possible at all. But start it as service looks for me the only way how to go.
0
 

Author Comment

by:tradinfo
Comment Utility
I have created a small sample code in VC++ which runs as a process under 95/98/Me and as a SERVICE under NT/2K/XP, but...
even if it is a service under XP, I always be able to see it in the task manager...
It is too big to show you the code in this column but I can send you a small zip file with my sample code inside if you want to take a look and help me to hide this service from eyes and task managers...
Thanks
0
 
LVL 7

Expert Comment

by:peterchen092700
Comment Utility
AFAIK you can't hide a process under Windows NT+ (legally), even if it runs as a service.
Whan you can do is to make it "unstoppable" (like the system idle process, etc.) - but don't ask me how ;)



0
 

Author Comment

by:tradinfo
Comment Utility
Well, as many of you tell me it is impossible to hide a process under NT, I have to find another solution.
One of the best seems to make my process "unstoppable" even if we try to stop it manually via the process manager.
Do you know I can make a process unstoppable ? A sample code and points is to you. If you don't want to give the solution to this board (as you don't know if bad people will see the sample later), you can send it to me directly to my email.
Thanks very much for helping me in finding a real solution to this real problem !!!
David.
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
Sorry if this seems a bit miserable, but securing Windows 98 is a really huge task, and to be complete would require a complete redesign (Microsoft designed it to allow programs to do practically anything, as there were so many terribly written programs that consumers loved).

In Windows NT, though, you can take advantage of the built-in framework for making processes secure, by making your process a service.  When you do this, you can ask for it not to be stoppable, and (even better) set the computer to shut down if your service fails.  The extra work of turning your program into a service is worth it for the *absolute* security you gain from it.

Remember, though, that an administrator has ultimate control of the computer, and certain privileges can be granted through Group Policies that might allow a user to bypass the security of services, as can uncareful setting of file permissions.

Best luck,
    Mark Steward
0
 

Author Comment

by:tradinfo
Comment Utility
Mark,
Thank you for your comment. As I told to all few days ago, I have written a sample code which allow my app to run as a service under NT/2K/XP and as a process under 95/98/Me.
But I am not good enough and don't have the knowledge to make my Service unstoppable and don't know how I can tell the OS to shutdown if my service is stopped. Would you please help me ? I can send to those who really wan't to solve my problem and help me a small sample code zipped in VC++6 to work on it.
For a better help, I increase points to 100.
Please thanks for all help !
Best regards.
David.
0
 

Author Comment

by:tradinfo
Comment Utility
points increased to 100 !
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 7

Expert Comment

by:peterchen092700
Comment Utility
I think it's along the lines of running the process under a specific account, and providign a security descriptor that denies the PROCESS_TERMINATE right to all others. However, as said, I have no *real* idea how to do this, sorry...

peter
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
I assume you're using the CreateService, etc. API to create your service, rather than setting it up manually in the registry (not a good idea).

Once you've created your service, use the handle to it (from CreateService, or OpenService if it already exists) to call SetSericeObjectSecurity (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/setserviceobjectsecurity.asp).

Assuming you want to deny Users permission to stop your service, use DACL_SECURITY_INFORMATION for dwSecurityInformation, and create a security descriptor (see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/security_descriptor.asp) that denies SERVICE_PAUSE_CONTINUE and SERVICE_STOP to the group Users.  See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/services_4upf.asp, about 5/6 of the way down, under "The following are the specific access rights for a service".

One more thing: don't forget that a user sitting at a computer can restart in Last Known Good Configuration, which, if you haven't updated it, will stop your service running altogether (it won't be listed in the registry, or its security descriptor might be the old one!).

Regards,
    Mark
0
 

Expert Comment

by:gdzdongdong
Comment Utility
I think u can use another way for u question: attach u process to another process in system, for example attach u process to Explorer.exe !
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
That's an option, but has no security whatsoever: it only hides it as well as Windows 98 can a user-mode process (although in Windows 98 you can write a kernel-mode stub to ensure your program won't close, or even crash the system when it does, but I'm not interested in Windows 98).  The better thing to do is attach to svchost, etc., *by creating a service*, and, as a service, it cannot be closed.  Or, if you don't want to hide it, just don't ask CreateService to attach it to one of the existing service hosts.
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
One more thing, though, off the top of my head: you don't want them debugging it.  Check gpedit.msc: Local computer\Windows settings\Security Settings\Local Policies\User rights assignment\Debug programs.

We still don't know how comprehensive you want your program to be, but I assume the users will not be Administrators, and you have stuff like BIOS protection to stop them booting off disks and policies for account lock-out (after a certain number of failed passwords).
0
 

Author Comment

by:tradinfo
Comment Utility
I have already a set of antidebugging protection in my code and stealth/self-protection of my application (with log files on errors or trying to debug or break my software and other tricks like that).
Well, my main problem is to make my application manually unstoppable (as it seems I can't hide it from process manager)...
And it is not so easy to do so, Mark...
The way to attach it to another process is not a way I wan't to explore because I don't want my application being dependent of other process or third party apps...
Still trying to make my NT service "unbreakable"
David.
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
Yes - I don't think simply attaching to another process is a good idea, most obviously because that process can be killed.

I assume the anti-debugging protection is for Windows 98: I honestly think the only way to protect your program in Windows 98 is to make it a device driver.  But then, it depends how secure you want it.
0
 

Author Comment

by:tradinfo
Comment Utility
I still have problems with creating and installing a service...
2 problems:
1. I have a "Access denied" under Win2K (no admin. priviledge) when I try to install my service.
2. I don't know very well how to define the parameters to have "Unstoppable" process.
Here is the sample code i am trying to use.
If one of you could help me it should be nice.

InstallNTService method:          
======================

BOOL CMyNTService :: InstallService()
{

     BOOL bRet = FALSE;

     SC_HANDLE schSCManager = OpenSCManager(
                    0, // machine (NULL == local)
                    0, // database (NULL == default)
                    SC_MANAGER_ALL_ACCESS     // access required
               );

          if( schSCManager ) {
               SC_HANDLE schService =     CreateService(
                                   schSCManager,
                                   m_lpServiceName,
                                   m_lpDisplayName,
                                   m_dwDesiredAccess,
                                   m_dwServiceType,
                                   m_dwStartType,
                                   m_dwErrorControl,
                                   szPath,
                                   m_pszLoadOrderGroup,
                                   ((m_dwServiceType == SERVICE_KERNEL_DRIVER
                                    || m_dwServiceType == SERVICE_FILE_SYSTEM_DRIVER)
                                   &&  (m_dwStartType == SERVICE_BOOT_START
                                        || m_dwStartType == SERVICE_SYSTEM_START))
                                   ? &m_dwTagID : 0,
                                   m_pszDependencies,
                                   m_pszStartName,
                                   m_pszPassword
                                   );

 
               if( schService ) {
                    // *** Service is created
                    // *** Set Security to service
                    // *** To make it UNSTOPPABLE ***
                    BOOL bRet = SetServiceObjectSecurity(
                              schService, // SC_HANDLE hService,
                              // *** SECURITY_INFORMATION dwSecurityInformation,
                              // *** PSECURITY_DESCRIPTOR lpSecurityDescriptor
                                        );
                   
                   
                    _tprintf(TEXT("%s installed.\n"), m_lpDisplayName );
                    CloseServiceHandle(schService);
                    bRet = TRUE;
               } else {
                    TCHAR szErr[256];
                    _tprintf(TEXT("CreateService failed - %s\n"), GetLastErrorText(szErr, 256));
               }

               CloseServiceHandle(schSCManager);
           } else {
               TCHAR szErr[256];
               _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256));
          }

          if( bRet ) {
               // installation succeeded. Now register the message file
               RegisterApplicationLog(
                    szPath,          // the path to the application itself
                    EVENTLOG_ERROR_TYPE | EVENTLOG_WARNING_TYPE | EVENTLOG_INFORMATION_TYPE // supported types
               );

               AddToMessageLog(TEXT("Service installed"),EVENTLOG_INFORMATION_TYPE);
          }
     }     //!! TCW MOD

     return bRet;
}

THX !!!
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
Of course you get access denied if you're not administrator in 2000: you're trying to create a service.  Note that you only need do this once.  (I haven't checked your code.)

You have to have set up the security descriptor before you call SetServiceObjectSecurity.  Can you show us what you're using at the moment for that, so we can advise?
0
 

Author Comment

by:tradinfo
Comment Utility
>Of course you get access denied if you're not >administrator in 2000: you're trying to create a service.

Well then,
Bad news. I need a solution which allow user to install and use my software WITHOUT the need to be an administrator to run my app...

>You have to have set up the security descriptor before
>you call SetServiceObjectSecurity.  Can you show us what
>you're using at the moment for that, so we can advise?

Here is my sample

if( schService ) {
  // *** Service is created
  // *** Set Security to service
  // *** To make it UNSTOPPABLE ***
  BOOL bRet = SetServiceObjectSecurity(
               schService, // SC_HANDLE
               hService, // *** SECURITY_INFORMATION
               dwSecurityInformation, // *** PSECURITY_DESCRIPTOR lpSecurityDescriptor
                        );
                   
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
Is this by any chance your SurfGuard program?  ("Désactivation impossible. Protège instantanément votre navigateur!").  If so, you need to consider how secure it really needs to be.  This depends on who you hope to use it: is this a program for home or business?

In Windows 95/98/Me there is no security structure: all users are effectively Administrators.  However, in Windows NT/2000/XP, users cannot by default make lasting changes to the computer that affect other users.  I think therefore it's reasonable to expect people to install your program in Windows 2000 as Administrator.  It seems very unlikely that someone would install your program as a user, without having access to any administrative account.  If it is business, they will *expect* you to have built a properly secured design, involving services.

I assume what you want is just something that stops casual users from pressing Ctrl+Alt+Del and killing the program.  In Windows 2000, I think this can only be done with services.  If you want to stop casual meddlers stopping it (as must be the case with Windows 95/98/Me), you will also have to consider Windows XP, where most users are administrators by default, and can stop services: you would have to build an unstoppable service in that case.  I'm contributing to another thread about that - I'll find my information if you want it.

Sorry if this seems a bit didactic - I'm trying to be terse.  Your program looks promising - if you'd like me to help with anything else, feel free to email me at marksteward@hotmail.com.

Regards,
    Mark
0
 

Author Comment

by:tradinfo
Comment Utility
the question is still open, if someone can tell me what parameters I have to put in SetServiceObjectSecurity() and if the call to this method is enough to make my service unstoppable, it'd be great!
I can send a small sample code to those who want to help me, just gimme your email...
PS: Mark, I sent you an email some days ago...
Thanks for all !
0
 

Author Comment

by:tradinfo
Comment Utility
Question still open !
Points increased to 120...
If someone is able to send me a sample code which creates an unstoppable service under NT/2K/XP, (s)he win(s) !
Or I can send you my small( 10 ko ) sample code to complete it to make it unstoppable...
PLEASE HELP ME! IT IS VERY IMPORTANT !!!
Is everybody in holidays ???
0
 
LVL 8

Expert Comment

by:fl0yd
Comment Utility
A good coder is never on holiday - he may be working on a different machine, that's about as far as it gets ;)
0
 

Author Comment

by:tradinfo
Comment Utility
thanks for your comment fl0yd, it helps me a lot ;-)

Question still open, and points increased to keep motivation high to solve my f*** problem...

THANKS FOR ALL YOUR HELP !
0
 
LVL 2

Expert Comment

by:MarkSteward
Comment Utility
Sorry for the delay - I started a holiday job on Monday, and I've had absolutely no time free...  You'll probably want something like the following (this is probably full of mistakes - please bear with me):

  SC_HANDLE schSCM     = NULL;
  SC_HANDLE schService = NULL;

  // Open a handle to the SCM.
  schSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
  if (schSCM == NULL) ReportErrorAndExit(); else{
    // Create the service: returns a handle to the service.
    schService = CreateService(
     schSCM,
     TEXT("SurfGuard"),
     TEXT("SurfGuard protection service"),
     SERVICE_ALL_ACCESS,
     SERVICE_INTERACTIVE_PROCESS,
     SERVICE_AUTO_START,
     SERVICE_ERROR_CRITICAL,
     TEXT("%ProgramFiles%\\SurfGuard\\sg.exe"),
     NULL,
     NULL,
     NULL,
     NULL,
     NULL);
    if (schService == NULL) ReportErrorAndExit();
  }

This might be all you need.  By default, users cannot start or stop a new service, and Power Users and Administrators can.  This is not a worry in Windows 2000, but in Windows XP most users are actually Administrators.  If you want your service to be unstoppable by administrators, simply deny them that privilege.  They can always change the privilege back, but you're only trying to stop casual attacks.

  BOOL                 bDaclPresent    = FALSE;
  BOOL                 bDaclDefaulted  = FALSE;
  DWORD                dwSdSize        = 0;
  EXPLICIT_ACCESS      ea;
  PACL                 paclServiceDacl = NULL;
  PSECURITY_DESCRIPTOR psdService;

  // Get current object security descriptor, getting its size first.
  if (!QueryServiceObjectSecurity(schService, DACL_SECURITY_INFORMATION, psdService, 0, &dwSdSize)){
    if (GetLastError() == ERROR_INSUFFICIENT_BUFFER){
      psdService = (PSECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSdSize);
      if (!psdService) ReportErrorAndExit();
      if (!QueryServiceObjectSecurity(schService, DACL_SECURITY_INFORMATION, psdService, dwSdSize, &dwSdSize)) ReportErrorAndExit();
    }else ReportErrorAndExit();
  }

  // Get the DACL for the new service's security descriptor.
  if (!GetSecurityDescriptorDacl(psdService, &bDaclPresent, &paclServiceDacl, &bDaclDefaulted)) ReportErrorAndExit();

  // Create and EXPLICIT_ACCESS structure: I've used this function because it was used in Microsoft's sample.
  // It would be better to build the structure from scratch, using the well-known SID for Administrators as a TRUSTEE.
  BuildExplicitAccessWithName(&ea, TEXT("Administrators"),
    READ_CONTROL | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_INTERROGATE | SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS,
    SET_ACCESS, NO_INHERITANCE);

  // If using the low-level functions, you must build the ACE in order:
  // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp
  // Fortunately, SetEntriesInAcl does ordering automatically.
  if (!SetEntriesInAcl(1, &ea, paclServiceDacl, &paclServiceDacl)) ReportErrorAndExit();

  // Set the new DACL in the security descriptor.
  if (!SetSecurityDescriptorDacl(psdService, TRUE, paclServiceDacl, FALSE)) ReportErrorAndExit();

  // Set the new DACL for the service object.
  if (!SetServiceObjectSecurity(schService, DACL_SECURITY_INFORMATION, psdService)) ReportErrorAndExit();

  // Close the handles.
  if (!CloseServiceHandle(schSCM)) ReportErrorAndExit();
  if (!CloseServiceHandle(schService)) ReportErrorAndExit();

  // Free buffers.
  LocalFree(paclServiceDacl);
  HeapFree(GetProcessHeap(), 0, (LPVOID)psdService);

To start the service immediately, now call StartService(schService, 0, NULL).  You might want to see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/services_938l.asp for how to check whether the service started OK.

In the uninstall program, you'll have to use OpenSCManager, OpenService and DeleteService.

Turning a program into a service is hard work: you now need to go through your program and check that it will work when nobody's logged on, and when more than one person is (terminal services is built into XP).  You might find it easier to have the working part of your program in the service, and make an ordinary program that communicates with the service when the user wants to change a setting.  As I've chosen SERVICE_AUTO_START and SERVICE_ERROR_CRITICAL to ensure that it runs, you must make sure the program doesn't crash often!  You also need to come up with proper error messages for the code above!

To save time, I've used ReportErrorAndExit() to represent a function that would close all handles and report a sensible error to the user: you probably don't want an error to be fatal, but want to give the user a chance to retry.  I'd actually put all the handle closing in the main function, changing all the ifs to nested ifs, down to SetServiceObjectSecurity, but I haven't done that for clarity.

I haven't left in many comments: if you want me to clarify any of these parameters, please feel free to ask.  Also, if you'd find it easier to write in French, my comprehensions's fine (although I'm not up to replying in French).

To all the experts: nobody else seems to have submitted service security code in EE, so if anyone has anything to contribute, I'm sure this would be a useful PAQ.

Mark
0
 
LVL 2

Accepted Solution

by:
MarkSteward earned 150 total points
Comment Utility
Or you can use http://www.helge.mynetcologne.de/setacl.

Best wishes,
  Mark

(and cheers to Alan)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This article describes how to add a user-defined command button to the Windows 7 Explorer toolbar.  In the previous article (http://www.experts-exchange.com/A_2172.html), we saw how to put the Delete button back there where it belongs.  "Delete" is …
This article describes a technique for converting RTF (Rich Text Format) data to HTML and provides C++ source that does it all in just a few lines of code. Although RTF is coming to be considered a "legacy" format, it is still in common use... po…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now