Solved

Rename application on Windows Task Manager

Posted on 2004-10-13
9
501 Views
Last Modified: 2013-12-03
I have another virus on my computer.
I notice that this virus, like many others, renames the ImageName found in the Windows Task Manager.
For example, I have the following task running:
Apache.exe
opmn.exe
rotatelogs.exe

I know these task are virus, and when I search my computer, I can't find a file with any of those names.

I'm thinking of creating an application that will kill any task that has a fake name.

I have two questions:
How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
How do these virus change their ImageName?
0
Comment
Question by:Axter
  • 5
  • 4
9 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 12298292
>>How do these virus change their ImageName?

They do that by hooking and intercepting calls to the 'NtQueryInformationProcess()' entry point in ntdll.dll. I will not post any exact code here for obvious reasons, though...
0
 
LVL 30

Author Comment

by:Axter
ID: 12298581
Hi jkr,

Is there any way I can stop the hook?

Is there any ligitimate reasons for an application to change process name?

Is there any way for me to detect when another application is adding this paticular hook?
0
 
LVL 86

Expert Comment

by:jkr
ID: 12298945
>>Is there any way I can stop the hook?

In theory, there is. In practise, once it is set, you'll need to remove either the user dll (easy) or the driver setting it and reboot.

>>Is there any ligitimate reasons for an application to change process name?

Not that I would know/think of.

>>Is there any way for me to detect when another application is adding this paticular hook?

That depends on the kind of hook. If it is a DLL loaded either via AppInit_DLLs or some Win32 hook started under 'Run' (or the Startup group), you'll be able to detect that manually. Finding a driver is more complicated, you'd need to use a tool that lists the drivers that are loaded on startup. An ad-hoc detection won't be possible for either situation, I am afraid.



0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 30

Author Comment

by:Axter
ID: 12299807
OK, that pretty much answers my second question.
How about the first question.

>>How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?

Is there some API I can use to get the list, or some windows method?
0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 12300394
Ooops :o)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q175/0/30.ASP&NoWebContent=1 ("How To Enumerate Applications Using Win32 APIs") has the code that the TaskManager uses
0
 
LVL 30

Author Comment

by:Axter
ID: 12301782
Thanks jkr.

I'll leave this question open untill tomorrow, just incase someone else has something new to add.

FYI:
On a related question, I got the following link for a free program that list all the running processes, and the source executables:
http://www.prcview.com
0
 
LVL 86

Expert Comment

by:jkr
ID: 12302111
>>http://www.prcview.com/

That's a nice tool, however, since with a patched API fed with incorrect information, it cannot really help either. I was about to recommend launching remote threads in suspicious processes to get the executable image info, but since these calls even from inside those processes will finally end up retrieving the same faked information...
0
 
LVL 30

Author Comment

by:Axter
ID: 12314162
Thanks jkr
0
 
LVL 86

Expert Comment

by:jkr
ID: 12314416
You're welcome. I really wished I could have come up with something more helpful, though. Well, at least with something more helpful than saying "use SoftICE and set a memory breakpoint on the jump table" :o)
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows a few slightly more advanced techniques for Windows 7 gadget programming, including how to save and restore user settings for your gadget and how to populate the "details" panel that is displayed in the Windows 7 gadget gallery.  …
This article describes how to add a user-defined command button to the Windows 7 Explorer toolbar.  In the previous article (http://www.experts-exchange.com/A_2172.html), we saw how to put the Delete button back there where it belongs.  "Delete" is …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question