Solved

Rename application on Windows Task Manager

Posted on 2004-10-13
9
503 Views
Last Modified: 2013-12-03
I have another virus on my computer.
I notice that this virus, like many others, renames the ImageName found in the Windows Task Manager.
For example, I have the following task running:
Apache.exe
opmn.exe
rotatelogs.exe

I know these task are virus, and when I search my computer, I can't find a file with any of those names.

I'm thinking of creating an application that will kill any task that has a fake name.

I have two questions:
How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?
How do these virus change their ImageName?
0
Comment
Question by:Axter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 12298292
>>How do these virus change their ImageName?

They do that by hooking and intercepting calls to the 'NtQueryInformationProcess()' entry point in ntdll.dll. I will not post any exact code here for obvious reasons, though...
0
 
LVL 30

Author Comment

by:Axter
ID: 12298581
Hi jkr,

Is there any way I can stop the hook?

Is there any ligitimate reasons for an application to change process name?

Is there any way for me to detect when another application is adding this paticular hook?
0
 
LVL 86

Expert Comment

by:jkr
ID: 12298945
>>Is there any way I can stop the hook?

In theory, there is. In practise, once it is set, you'll need to remove either the user dll (easy) or the driver setting it and reboot.

>>Is there any ligitimate reasons for an application to change process name?

Not that I would know/think of.

>>Is there any way for me to detect when another application is adding this paticular hook?

That depends on the kind of hook. If it is a DLL loaded either via AppInit_DLLs or some Win32 hook started under 'Run' (or the Startup group), you'll be able to detect that manually. Finding a driver is more complicated, you'd need to use a tool that lists the drivers that are loaded on startup. An ad-hoc detection won't be possible for either situation, I am afraid.



0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 30

Author Comment

by:Axter
ID: 12299807
OK, that pretty much answers my second question.
How about the first question.

>>How can I programmatically get the list of items listed in the Windows Task Manger under the Process Tab?

Is there some API I can use to get the list, or some windows method?
0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 12300394
Ooops :o)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q175/0/30.ASP&NoWebContent=1 ("How To Enumerate Applications Using Win32 APIs") has the code that the TaskManager uses
0
 
LVL 30

Author Comment

by:Axter
ID: 12301782
Thanks jkr.

I'll leave this question open untill tomorrow, just incase someone else has something new to add.

FYI:
On a related question, I got the following link for a free program that list all the running processes, and the source executables:
http://www.prcview.com
0
 
LVL 86

Expert Comment

by:jkr
ID: 12302111
>>http://www.prcview.com/

That's a nice tool, however, since with a patched API fed with incorrect information, it cannot really help either. I was about to recommend launching remote threads in suspicious processes to get the executable image info, but since these calls even from inside those processes will finally end up retrieving the same faked information...
0
 
LVL 30

Author Comment

by:Axter
ID: 12314162
Thanks jkr
0
 
LVL 86

Expert Comment

by:jkr
ID: 12314416
You're welcome. I really wished I could have come up with something more helpful, though. Well, at least with something more helpful than saying "use SoftICE and set a memory breakpoint on the jump table" :o)
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What my article will show is if you ever had to do processing to a listbox without being able to just select all the items in it. My software Visual Studio 2008 crystal report v11 My issue was I wanted to add crystal report to a form and show…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question