Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Rename application on Windows Task Manager

Posted on 2004-10-13
9
Medium Priority
?
509 Views
Last Modified: 2013-12-03
I have another virus on my computer.
I notice that this virus, like many others, renames the ImageName found in the Windows Task Manager.
For example, I have the following task running:
Apache.exe
opmn.exe
rotatelogs.exe

I know these task are virus, and when I search my computer, I can't find a file with any of those names.

I'm thinking of creating an application that will kill any task that has a fake name.

I have two questions:
How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
How do these virus change their ImageName?
0
Comment
Question by:Axter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 12298292
>>How do these virus change their ImageName?

They do that by hooking and intercepting calls to the 'NtQueryInformationProcess()' entry point in ntdll.dll. I will not post any exact code here for obvious reasons, though...
0
 
LVL 30

Author Comment

by:Axter
ID: 12298581
Hi jkr,

Is there any way I can stop the hook?

Is there any ligitimate reasons for an application to change process name?

Is there any way for me to detect when another application is adding this paticular hook?
0
 
LVL 86

Expert Comment

by:jkr
ID: 12298945
>>Is there any way I can stop the hook?

In theory, there is. In practise, once it is set, you'll need to remove either the user dll (easy) or the driver setting it and reboot.

>>Is there any ligitimate reasons for an application to change process name?

Not that I would know/think of.

>>Is there any way for me to detect when another application is adding this paticular hook?

That depends on the kind of hook. If it is a DLL loaded either via AppInit_DLLs or some Win32 hook started under 'Run' (or the Startup group), you'll be able to detect that manually. Finding a driver is more complicated, you'd need to use a tool that lists the drivers that are loaded on startup. An ad-hoc detection won't be possible for either situation, I am afraid.



0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 30

Author Comment

by:Axter
ID: 12299807
OK, that pretty much answers my second question.
How about the first question.

>>How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?

Is there some API I can use to get the list, or some windows method?
0
 
LVL 86

Accepted Solution

by:
jkr earned 2000 total points
ID: 12300394
Ooops :o)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q175/0/30.ASP&NoWebContent=1 ("How To Enumerate Applications Using Win32 APIs") has the code that the TaskManager uses
0
 
LVL 30

Author Comment

by:Axter
ID: 12301782
Thanks jkr.

I'll leave this question open untill tomorrow, just incase someone else has something new to add.

FYI:
On a related question, I got the following link for a free program that list all the running processes, and the source executables:
http://www.prcview.com
0
 
LVL 86

Expert Comment

by:jkr
ID: 12302111
>>http://www.prcview.com/

That's a nice tool, however, since with a patched API fed with incorrect information, it cannot really help either. I was about to recommend launching remote threads in suspicious processes to get the executable image info, but since these calls even from inside those processes will finally end up retrieving the same faked information...
0
 
LVL 30

Author Comment

by:Axter
ID: 12314162
Thanks jkr
0
 
LVL 86

Expert Comment

by:jkr
ID: 12314416
You're welcome. I really wished I could have come up with something more helpful, though. Well, at least with something more helpful than saying "use SoftICE and set a memory breakpoint on the jump table" :o)
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while now I'v been searching for a circular progress control, much like the one you get when first starting your Silverlight application. I found a couple that were written in WPF and there were a few written in Silverlight, but all appeared o…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question