Windows Task Manager

Hello experts,

Some other day I posted in the OS (XP) session some question about Windows Task Manager (http://www.experts-exchange.com/Operating_Systems/WinXP/Q_22055556.html). The question in Delphi session is: HOW can I do a program with that function using DELPHI 7?
plinhoAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Wim ten BrinkConnect With a Mentor Self-employed developerCommented:
There is a way to hide your application for the task manager but it requires some serious (low-level) API hooking and unfortunately it's a technique often used by rootkits. Basically, you hijack a few API functions that the task manager uses to enumerate the running processes and just make sure these API functions won't report your applcation.
One other problem is of course that if you hijack some API functions and your code has a bug then the whole system might crash and crash hard! Also, check out the story about Sony and Rootkits and you know another reason why NOT to create them. :-)

And sorry, I don't know how to do this. I just know it can be done. I think through something called MadComponents. :-)
0
 
CodedKCommented:
Hi plinho.

You can hide a program from the task manager on XP ONLY if its a service proccess...
(But even if thats the case your program can be seen in the list on administration tools - services)
You can't do it for any other external program.

1) You can disable Task Manager though.
2) You can create a program that launch your application if it has been terminated.
3) You can disable Task Manager and open a window that looks like and mimic Task Manager filtering the program you want to hide...

Hope this helps.

0
 
CodedKCommented:
There is a way to hide it from the application tab :

OnActivate event of Form1 write this :
ShowWindow(Application.Handle,SW_HIDE);

------------------------------

To hide it from the list of processes tab the only fast way is to terminate the program you want rename it to svchost.exe & launch it again.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
plinhoAuthor Commented:
Have you seen the other question i asked in Windows XP session?? There is a program that does that, the name is jamilah... i saved it into this email: jamilah_software@yahoo.com.br, password: 123456.
take a look there ;)
0
 
CodedKCommented:
Can you please tell me HOW this *** application can hide another application ?
Because i see very well that it exists in application tab in 1 application that i tried ...
more over i had to reboot coz it crashed my system !
0
 
plinhoAuthor Commented:
Thats what I'm aking... HOW does it work, and HOW to do that in Delphi =/
0
 
plinhoAuthor Commented:
it hides the app from the procces list in Windows Task Manager.... That what i'm trying to do in delphi
0
 
plinhoAuthor Commented:
By the way, when you hide an app with jamilah youhave to close this app FIRST than jamilah, or else the system will crach =)
0
 
CodedKCommented:
Hi plinho, check out this link :

http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=764&lngWId=7

The only way is to hack Task Manager memory and remove the name of your program from the list...
This is a security issue.
0
 
CodedKConnect With a Mentor Commented:
Also check this out :

Lee tries to hack Task Manager and Task Manager crashes... Check out the other comments too, there are instruction of how to inject your code with Mad components.

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20289521.html
0
 
plinhoAuthor Commented:
That's a very good topic... I looked for this subject but couldn't find anything =/
CodedK, have you seen jamilah?? It hides an external app and can change their PID. HOW the hell can it be done?! I thoght it was very close to impossible before i found this software...
0
 
CodedKCommented:
It can trick the system.
I've never done anything similar before and like you i also thought its impossible.
Yes i saw Jamilah.

The way i see it. It must do the following :
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
Hooks system api calls to intercept Task Manager.
Hide Task Manager window.
Dump memory process of Task Manager.
Edit memory to remove the given string from the process list (But it cannot remove it from the Application Tab).
Show Task Manager Window.
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

In every forum i've seen the only way to do it is to hack the system... There isn't any known procedure to do it.
I'll keep looking for something interesting for you :)

P.S
I found something called Stealth but it keeps crashing my system...
Do you want to check it ?
0
 
CodedKCommented:
I found something usefull in a trojan source code ... (Back Orifice 2000)
0
 
plinhoAuthor Commented:
Sure, can you post the link to this program so I can download it (Stealth, not B.O. =P).
I'm not home now, but as soon as I get there i'll take a look on it ;)

"I'll keep looking for something interesting for you :)"

No rush... Just in enoght time to this question not be closed.
0
 
CodedKCommented:
I'm in work now :) I'll send it in 1 hour or 2
0
 
plinhoAuthor Commented:
ok, i'll be home just in 6 hours =/.
I hate not having my this on other computers
0
 
CodedKCommented:
Well first of all this is one PAQ from Madshi the one who wrote all the mad hook components we talked about earlier :

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_10186120.html

He is talking about the source code of the Back Orifice worm.... He rewrote it in Delphi... Check it out ...

The source that follows is that **** unit i found (it crashes my application)
0
 
CodedKCommented:
 unit Stealth;

  interface

  uses
    WinTypes, WinProcs, Classes, Forms, SysUtils, Controls, Messages;

  type
    TDuplicateComponent = class(Exception);
    TFormNotOwner = class(Exception);
    TStealth = class(TComponent)

    private
      FHideForm: Boolean;
      fHideApp: Boolean;
      OldWndProc: TFarProc;
      NewWndProc: Pointer;
      function IsIt: Boolean;
      procedure SetIt (Value: Boolean);
      procedure SetHideApp(Value: Boolean);
      procedure HookParent;
      procedure UnhookParent;
      procedure HookWndProc(var Message: TMessage);
      protected

    {Protected declarations}
       procedure HideApplication;
       procedure ShowApplication;

    public
    {Public declarations}
      constructor Create(AOwner: TComponent); override;
      destructor Destroy; override;
      procedure Loaded; override;
      procedure ProcessEnabled;
      published

    {Published declarations}
      property HideForm: Boolean read IsIt write SetIt stored true default true;
      property HideApp: Boolean read fHideApp write SetHideApp;
    end;

    function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; stdcall; external 'KERNEL32.DLL';
    procedure Register;

    implementation

uses Unit1;

    destructor TStealth.Destroy;

    begin
     ShowApplication;
     UnhookParent;
     inherited destroy;
    end;

    constructor TStealth.Create(AOwner: TComponent);
    var
      i: Word;
      CompCount: Byte;
    begin
     inherited Create(AOwner);
     fHideform := true;
     NewWndProc := nil;
     OldWndProc := nil;
     CompCount := 0;
     if (csDesigning in ComponentState) then
     if (AOwner is TForm) then
     with (AOwner as TForm) do
      begin
       for i := 0 to ComponentCount - 1 do
       if Components[i] is TStealth then Inc(CompCount);
       if CompCount > 1 then raise TDuplicateComponent.Create('There is already a TStealth component on this Form');
      end
     else
      raise TFormNotOwner.Create('The owner of TStealth Component is not a TForm');
      HookParent;
    end;

    procedure TStealth.SetHideApp(Value: Boolean);
    begin
     fHideApp := Value;
     if Value then HideApplication
      else
     ShowApplication;
    end;

    procedure TStealth.HideApplication;
    begin
     if not (csDesigning in ComponentState) then
     RegisterServiceProcess(GetCurrentProcessID, 1);
    end;

    procedure TStealth.ShowApplication;
    begin
     if not (csDesigning in ComponentState) then
     RegisterServiceProcess(GetCurrentProcessID, 0);
    end;

    procedure TStealth.Loaded;
    begin
     inherited Loaded; { Always call inherited Loaded method }
     if not (csDesigning in ComponentState) then
     ProcessEnabled;
    end;

    procedure TStealth.ProcessEnabled;
    begin
     if not (csDesigning in ComponentState) then
     if fHideform then
     ShowWindow(FindWindow(nil, @Application.Title[1]), SW_HIDE)
     else
     ShowWindow(FindWindow(nil, @Application.Title[1]), SW_RESTORE);
    end;

    function TStealth.IsIt: Boolean;
    begin
     Result := fHideform;
    end;

    procedure TStealth.SetIt(Value: Boolean);
    begin
     fHideform := value;
     ProcessEnabled;
    end;

    procedure TStealth.HookParent;
    begin
     if owner = nil then exit;
     OldWndProc := TFarProc(GetWindowLong((owner as TForm).Handle, GWL_WNDPROC));
     NewWndProc := MakeObjectInstance(HookWndProc);
     SetWindowLong((owner as TForm).Handle, GWL_WNDPROC, LongInt(NewWndProc));
    end;

    procedure TStealth.UnhookParent;
    begin
     if (owner <> NIL) and Assigned(OldWndProc) then
     SetWindowLong((owner as TForm).Handle, GWL_WNDPROC, LongInt(OldWndProc));
     if Assigned(NewWndProc) then
     FreeObjectInstance(NewWndProc);
     NewWndProc := NIL;
     OldWndProc := NIL;
    end;

    procedure Register;
    begin
     RegisterComponents('Dbayliss', [TStealth]);
    end;

    procedure TStealth.HookWndProc(var Message: TMessage);
    begin
     if owner = NIL then exit;
     if (Message.Msg = WM_SHOWWINDOW) then
     if (Message.wParam <> 0) then
     ProcessEnabled;
     Message.Result := CallWindowProc(OldWndProc, (owner as TForm).Handle, Message.Msg, Message.wParam, Message.lParam);
    end;

end.
0
 
plinhoAuthor Commented:
Hmm, I know it sounds stupid but i cant install madKernell and those others components...
0
 
CodedKCommented:
I've never tried plinho maybe someone could help you more with these components...
Send a pm to Madshi...
www.madshi.net
:)
0
 
plinhoAuthor Commented:
Hmm, I couldn't make this program that you posted work, I mean, I compiled it, but what does it do actually?
0
 
CodedKCommented:
Use the unit from your program...
0
 
plinhoAuthor Commented:
Hmm, got these errors:
"[Error] WARNING. Duplicate resource(s):
[Error] Type 10 (RCDATA), ID TFORM1:
[Error] File C:\Arquivos de programas\Borland\Delphi7\Projects\Unit1.dfm resource kept; file C:\Arquivos de programas\Borland\Delphi7\Projects\goxpgount.dfm resource discarded."
0
 
CodedKCommented:
Try to test it in a new project.
Mine jst crashes with no errors ! Cant help u with that unit any more.
I just found it and thought that it could be useful :/
0
 
plinhoAuthor Commented:
I guess it would be quite difficult to hide an external app... So if you help me to hide my own app, I'll give you the points with A grade for your patience =)
0
 
CodedKCommented:
Plinho thanks but i dont do it for the points :)

I hope some other expert will come in, that knows something about this ...
Be patient i'm looking in every forum i know :)

Maybe we can pull this out with a trick.
0
 
plinhoAuthor Commented:
Thats ok :) but if you eventually find how to hide my own app, poste here so i can use it while we dont find out how to do it with external apps
0
 
CodedKCommented:
Plinho please add your email in your profile.
0
 
CodedKCommented:
Add your email in your profile. So i can send you the source code of a program i made.

It is based on my first post. So you can accept my first post.
It can do it even for an external application :) !!!!!!
0
 
CodedKCommented:
I cant post it here because it can be used for bad things.
0
 
CodedKCommented:
Forget it plinho if you want the source i can mail it to you but its not working well...
Task manager flickers too much, because it tries to refresh the values.
So forget my last comments. :(
0
 
plinhoAuthor Commented:
=/, if you want to mail me send to plinho_v@yahoo.com.br plz... But it has to be a way to do ut, I mean, That jamilah program does that right?
0
 
CodedKCommented:
Plinho i've managed to hack Task Manager Memory BUT i couldnt freeze the constant updating of WTM...
I hope this can give you a start. It can work even for external applications. BUT there is a constant flickering !
If you find a way around this then its done !!!
I'll send you the source right now if you find something then mail me (see my profile for my mail)
0
 
plinhoAuthor Commented:
Wow, I'm no expert in delphi, in fact i learnedall i know by myself, so my knowledge is kinda low =/
I tried to do some changes on the names to find the Windows Task Manager, tranlating it to my language. But I've noticed something, correct me if I'm wrong, wich I'm probably is =P, in this part of the code:
procedure TForm1.Timer2Timer(Sender: TObject);
var  pmRemote:      TProcessMemory;
     szString:      String;
     lvItem:        TLVItem;
     handle:        HWND;
     cnt:           Integer;
     i,z:             Integer;
     idxItem:       Integer;
     idxString:     Integer;
begin
if wnd<>0 then

   Begin
   ...
  End;

'wnd' hasn't been declared has it?
Maybe someone who really knows this kind of code could help us...
0
 
CodedKCommented:
if it wasnt declared then it wouldnt work :/
Its in the public declarations ..
0
 
CodedKCommented:
You can press control+space to navigate through the declarations when the mouse is on a variable.
0
 
plinhoAuthor Commented:
hmm i see... So, lets just wait 'till someone help us ;-)
0
 
plinhoAuthor Commented:
I've been looking here in EE for these kind of stuff and it seems that the only person able to do that is Mashi.... But, unfortunatly, he has time problem =/...
Anyway Madshi: I see that there are a lot of people with this doubt and since you are the only one that can help us please, if you have some time, try to make this work....thanks!!
0
 
plinhoAuthor Commented:
Whooow I found a program that does ANYTHING with processes!!! The name is ProcessGuard...
http://www.download.com/ProcessGuard/3640-2239_4-10356311.html
If someone knows how to do these things please post here
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.