• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 517
  • Last Modified:

Rename application on Windows Task Manager

I have another virus on my computer.
I notice that this virus, like many others, renames the ImageName found in the Windows Task Manager.
For example, I have the following task running:
Apache.exe
opmn.exe
rotatelogs.exe

I know these task are virus, and when I search my computer, I can't find a file with any of those names.

I'm thinking of creating an application that will kill any task that has a fake name.

I have two questions:
How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
How do these virus change their ImageName?
0
Axter
Asked:
Axter
  • 5
  • 4
1 Solution
 
jkrCommented:
>>How do these virus change their ImageName?

They do that by hooking and intercepting calls to the 'NtQueryInformationProcess()' entry point in ntdll.dll. I will not post any exact code here for obvious reasons, though...
0
 
AxterAuthor Commented:
Hi jkr,

Is there any way I can stop the hook?

Is there any ligitimate reasons for an application to change process name?

Is there any way for me to detect when another application is adding this paticular hook?
0
 
jkrCommented:
>>Is there any way I can stop the hook?

In theory, there is. In practise, once it is set, you'll need to remove either the user dll (easy) or the driver setting it and reboot.

>>Is there any ligitimate reasons for an application to change process name?

Not that I would know/think of.

>>Is there any way for me to detect when another application is adding this paticular hook?

That depends on the kind of hook. If it is a DLL loaded either via AppInit_DLLs or some Win32 hook started under 'Run' (or the Startup group), you'll be able to detect that manually. Finding a driver is more complicated, you'd need to use a tool that lists the drivers that are loaded on startup. An ad-hoc detection won't be possible for either situation, I am afraid.



0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
AxterAuthor Commented:
OK, that pretty much answers my second question.
How about the first question.

>>How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?

Is there some API I can use to get the list, or some windows method?
0
 
jkrCommented:
Ooops :o)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q175/0/30.ASP&NoWebContent=1 ("How To Enumerate Applications Using Win32 APIs") has the code that the TaskManager uses
0
 
AxterAuthor Commented:
Thanks jkr.

I'll leave this question open untill tomorrow, just incase someone else has something new to add.

FYI:
On a related question, I got the following link for a free program that list all the running processes, and the source executables:
http://www.prcview.com
0
 
jkrCommented:
>>http://www.prcview.com/

That's a nice tool, however, since with a patched API fed with incorrect information, it cannot really help either. I was about to recommend launching remote threads in suspicious processes to get the executable image info, but since these calls even from inside those processes will finally end up retrieving the same faked information...
0
 
AxterAuthor Commented:
Thanks jkr
0
 
jkrCommented:
You're welcome. I really wished I could have come up with something more helpful, though. Well, at least with something more helpful than saying "use SoftICE and set a memory breakpoint on the jump table" :o)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now