Axter
asked on
Rename application on Windows Task Manager
I have another virus on my computer.
I notice that this virus, like many others, renames the ImageName found in the Windows Task Manager.
For example, I have the following task running:
Apache.exe
opmn.exe
rotatelogs.exe
I know these task are virus, and when I search my computer, I can't find a file with any of those names.
I'm thinking of creating an application that will kill any task that has a fake name.
I have two questions:
How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
How do these virus change their ImageName?
I notice that this virus, like many others, renames the ImageName found in the Windows Task Manager.
For example, I have the following task running:
Apache.exe
opmn.exe
rotatelogs.exe
I know these task are virus, and when I search my computer, I can't find a file with any of those names.
I'm thinking of creating an application that will kill any task that has a fake name.
I have two questions:
How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
How do these virus change their ImageName?
ASKER
Hi jkr,
Is there any way I can stop the hook?
Is there any ligitimate reasons for an application to change process name?
Is there any way for me to detect when another application is adding this paticular hook?
Is there any way I can stop the hook?
Is there any ligitimate reasons for an application to change process name?
Is there any way for me to detect when another application is adding this paticular hook?
>>Is there any way I can stop the hook?
In theory, there is. In practise, once it is set, you'll need to remove either the user dll (easy) or the driver setting it and reboot.
>>Is there any ligitimate reasons for an application to change process name?
Not that I would know/think of.
>>Is there any way for me to detect when another application is adding this paticular hook?
That depends on the kind of hook. If it is a DLL loaded either via AppInit_DLLs or some Win32 hook started under 'Run' (or the Startup group), you'll be able to detect that manually. Finding a driver is more complicated, you'd need to use a tool that lists the drivers that are loaded on startup. An ad-hoc detection won't be possible for either situation, I am afraid.
In theory, there is. In practise, once it is set, you'll need to remove either the user dll (easy) or the driver setting it and reboot.
>>Is there any ligitimate reasons for an application to change process name?
Not that I would know/think of.
>>Is there any way for me to detect when another application is adding this paticular hook?
That depends on the kind of hook. If it is a DLL loaded either via AppInit_DLLs or some Win32 hook started under 'Run' (or the Startup group), you'll be able to detect that manually. Finding a driver is more complicated, you'd need to use a tool that lists the drivers that are loaded on startup. An ad-hoc detection won't be possible for either situation, I am afraid.
ASKER
OK, that pretty much answers my second question.
How about the first question.
>>How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
Is there some API I can use to get the list, or some windows method?
How about the first question.
>>How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
Is there some API I can use to get the list, or some windows method?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks jkr.
I'll leave this question open untill tomorrow, just incase someone else has something new to add.
FYI:
On a related question, I got the following link for a free program that list all the running processes, and the source executables:
http://www.prcview.com
I'll leave this question open untill tomorrow, just incase someone else has something new to add.
FYI:
On a related question, I got the following link for a free program that list all the running processes, and the source executables:
http://www.prcview.com
>>http://www.prcview.com/
That's a nice tool, however, since with a patched API fed with incorrect information, it cannot really help either. I was about to recommend launching remote threads in suspicious processes to get the executable image info, but since these calls even from inside those processes will finally end up retrieving the same faked information...
That's a nice tool, however, since with a patched API fed with incorrect information, it cannot really help either. I was about to recommend launching remote threads in suspicious processes to get the executable image info, but since these calls even from inside those processes will finally end up retrieving the same faked information...
ASKER
Thanks jkr
You're welcome. I really wished I could have come up with something more helpful, though. Well, at least with something more helpful than saying "use SoftICE and set a memory breakpoint on the jump table" :o)
They do that by hooking and intercepting calls to the 'NtQueryInformationProcess