?
Solved

Rename application on Windows Task Manager

Posted on 2004-10-13
9
Medium Priority
?
507 Views
Last Modified: 2013-12-03
I have another virus on my computer.
I notice that this virus, like many others, renames the ImageName found in the Windows Task Manager.
For example, I have the following task running:
Apache.exe
opmn.exe
rotatelogs.exe

I know these task are virus, and when I search my computer, I can't find a file with any of those names.

I'm thinking of creating an application that will kill any task that has a fake name.

I have two questions:
How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
How do these virus change their ImageName?
0
Comment
Question by:Axter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 12298292
>>How do these virus change their ImageName?

They do that by hooking and intercepting calls to the 'NtQueryInformationProcess()' entry point in ntdll.dll. I will not post any exact code here for obvious reasons, though...
0
 
LVL 30

Author Comment

by:Axter
ID: 12298581
Hi jkr,

Is there any way I can stop the hook?

Is there any ligitimate reasons for an application to change process name?

Is there any way for me to detect when another application is adding this paticular hook?
0
 
LVL 86

Expert Comment

by:jkr
ID: 12298945
>>Is there any way I can stop the hook?

In theory, there is. In practise, once it is set, you'll need to remove either the user dll (easy) or the driver setting it and reboot.

>>Is there any ligitimate reasons for an application to change process name?

Not that I would know/think of.

>>Is there any way for me to detect when another application is adding this paticular hook?

That depends on the kind of hook. If it is a DLL loaded either via AppInit_DLLs or some Win32 hook started under 'Run' (or the Startup group), you'll be able to detect that manually. Finding a driver is more complicated, you'd need to use a tool that lists the drivers that are loaded on startup. An ad-hoc detection won't be possible for either situation, I am afraid.



0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 30

Author Comment

by:Axter
ID: 12299807
OK, that pretty much answers my second question.
How about the first question.

>>How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?

Is there some API I can use to get the list, or some windows method?
0
 
LVL 86

Accepted Solution

by:
jkr earned 2000 total points
ID: 12300394
Ooops :o)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q175/0/30.ASP&NoWebContent=1 ("How To Enumerate Applications Using Win32 APIs") has the code that the TaskManager uses
0
 
LVL 30

Author Comment

by:Axter
ID: 12301782
Thanks jkr.

I'll leave this question open untill tomorrow, just incase someone else has something new to add.

FYI:
On a related question, I got the following link for a free program that list all the running processes, and the source executables:
http://www.prcview.com
0
 
LVL 86

Expert Comment

by:jkr
ID: 12302111
>>http://www.prcview.com/

That's a nice tool, however, since with a patched API fed with incorrect information, it cannot really help either. I was about to recommend launching remote threads in suspicious processes to get the executable image info, but since these calls even from inside those processes will finally end up retrieving the same faked information...
0
 
LVL 30

Author Comment

by:Axter
ID: 12314162
Thanks jkr
0
 
LVL 86

Expert Comment

by:jkr
ID: 12314416
You're welcome. I really wished I could have come up with something more helpful, though. Well, at least with something more helpful than saying "use SoftICE and set a memory breakpoint on the jump table" :o)
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question