Sign in to follow this  
Q3

Hiding a process from the task manager

Recommended Posts

Q3    100
Hi there! I'm looking for ways to hide a process from the "task manager" (for security purposes only) C#/C++. I found this API function "RegisterServiceProcess" that is supposed to do the deed but I get this error saying That the entry point could not be found in kernel32.dll where it is supposed to be... please help :)

Share this post


Link to post
Share on other sites
markr    1692
Here are some answers:

1. You can't - don't do it.
2. You CAN but only by creating a "rootkit", which is evil. Don't do it.
3. You can do it but you might get the same flak as Sony did on their DRM'd CDs.

RegisterServiceProcess I think is for win9x, to stop the process being shutdown when the user logs off. It's pretty much irrelevant becasue nobody uses win9x any more, and win9x usually crashes anyway before the user has a chance to log off.

You cannot hide a process easily, and indeed, under normal circumstances you should not.

It will not enhance security at all, just annoy people.

Mark

Share this post


Link to post
Share on other sites
Yarin    138
Quote:
Original post by markr
You CAN but only by creating a "rootkit"
Wrong. There are serveral ways to do it. But all them are too complex if you didn't know of them yet :P

You could:
- periodically check for a taskmngr.exe process and, if you find one, manipulate the list view so it doesn't show the entry you want to hide.
- Write a replacement for the taskmngr.exe which looks and acts exactly the same but hides your process (which I would call a "rootkit")
- You could write a WDM driver to get ring 0 access (therefore access to the kernel) and use one of the many techniques to hook up the APIs which are used by the task manager to fetch the process list.

And I'm sure there are more ways to do it which I just don't know of.. :P

Share this post


Link to post
Share on other sites
cherryhouse    100
It's called DLL injection. You call a remote thread that injects a thread into a currently running process(most commonly explorer.exe). It isn't as hard as you all seem to think, if you have a good understanding of programming. Enjoy.

Share this post


Link to post
Share on other sites
white skies    122
Quote:
Original post by cherryhouse
It's called DLL injection. You call a remote thread that injects a thread into a currently running process(most commonly explorer.exe). It isn't as hard as you all seem to think, if you have a good understanding of programming. Enjoy.


Yes, but DLL injection may alert the installed antivirus. :)
And I doubt it can be done with a window application or a console (I guess that's what Q3 wants since he uses C#), You can't put this into a DLL, can you? [smile]

Share this post


Link to post
Share on other sites
Guest Anonymous Poster   
Guest Anonymous Poster
Quote:
Original post by white skies
Quote:
Original post by cherryhouse
It's called DLL injection. You call a remote thread that injects a thread into a currently running process(most commonly explorer.exe). It isn't as hard as you all seem to think, if you have a good understanding of programming. Enjoy.


Yes, but DLL injection may alert the installed antivirus. :)
And I doubt it can be done with a window application or a console (I guess that's what Q3 wants since he uses C#), You can't put this into a DLL, can you? [smile]


You inject a DLL that hooks the enumeration API, and if it finds your parent process, it just returns the next process, instead of yours...

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by Anonymous Poster
Quote:
Original post by white skies
Quote:
Original post by cherryhouse
It's called DLL injection. You call a remote thread that injects a thread into a currently running process(most commonly explorer.exe). It isn't as hard as you all seem to think, if you have a good understanding of programming. Enjoy.


Yes, but DLL injection may alert the installed antivirus. :)
And I doubt it can be done with a window application or a console (I guess that's what Q3 wants since he uses C#), You can't put this into a DLL, can you? [smile]


You inject a DLL that hooks the enumeration API, and if it finds your parent process, it just returns the next process, instead of yours...



Can you elaborate on that please? :)

Share this post


Link to post
Share on other sites
cherryhouse    100
There'e no point getting into DLL injection since you are probably new to programming. You'll have no idea what you're getting into. Infact, this whole subject would be out of your league, if you are new to programming.

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by cherryhouse
There'e no point getting into DLL injection since you are probably new to programming. You'll have no idea what you're getting into. Infact, this whole subject would be out of your league, if you are new to programming.


I think i can handle it.
All you need is love.
All I need is good tutorials :)

Share this post


Link to post
Share on other sites
Guest Anonymous Poster   
Guest Anonymous Poster
Quote:
Original post by Q3
(for security purposes only)

What security purposes?

Share this post


Link to post
Share on other sites
Q3    100
I do not want the user to be able to close my program until it completes its work. It is supposed to run for hours and i don't want the user (The computer is in a lab) to accidently ruin the calculations.
It has happened before :(

I know he can restart the computer and the windows can crash but there's nothing i can do about that. I do what i can :)

Share this post


Link to post
Share on other sites
yapposai    410
how about just making a small always on top window that says "CALCULATING IMPORTANT STUFF, DO NOT TURN OFF - <yourname> <date:time>" much better than doing complicated things to frustrate the user.

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by yapposai
how about just making a small always on top window that says "CALCULATING IMPORTANT STUFF, DO NOT TURN OFF - <yourname> <date:time>" much better than doing complicated things to frustrate the user.


LOL
been there, tried that.
The problem is that there are some assholes in my lab that don't give a shit
about other people's experiments.
either that or these really are accidents.

Share this post


Link to post
Share on other sites
Nik02    4348
Quote:
Original post by Q3
I do not want the user to be able to close my program until it completes its work. It is supposed to run for hours and i don't want the user (The computer is in a lab) to accidently ruin the calculations.
It has happened before :(

I know he can restart the computer and the windows can crash but there's nothing i can do about that. I do what i can :)


Then make the program an ordinary service. It is nearly impossible to close them by "accident", yet the user can do it if he really, really wants.

If you force the user to not be able to close your application in some way, then, by definition, you're designing malware.

If the general situation doesn't suit you, have you considered obtaining a dedicated computer - with which you can run anything you want without depending on other users - for your experiments?

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by Nik02
If you force the user to not be able to close your application in some way, then, by definition, you're designing malware.


But they WILL be able to close my program.
...
...
but only after it completes its work :)

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by Q3
Quote:
Original post by Nik02
If you force the user to not be able to close your application in some way, then, by definition, you're designing malware.


But they WILL be able to close my program.
...
...
but only after it completes its work :)


Quote:
Original post by Nik02
If the general situation doesn't suit you, have you considered obtaining a dedicated computer - with which you can run anything you want without depending on other users - for your experiments?


A computer only i can work with?
not gonna happen :(

Share this post


Link to post
Share on other sites
Nik02    4348
Quote:
Original post by Q3
Quote:
Original post by Nik02
If you force the user to not be able to close your application in some way, then, by definition, you're designing malware.


But they WILL be able to close my program.
...
...
but only after it completes its work :)


A "do not disturb" flag can be specified when running a service process, so that ordinary users can't shut it down while logged in the computer. An administrator can, of course, shut down almost anything except the kernel and there's ultimately nothing you can do about that.

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by Nik02
Quote:
Original post by Q3

A computer only i can work with?
not gonna happen :(


Why?


The lab supervisor does not approve of this.

Share this post


Link to post
Share on other sites
yapposai    410
how about putting a password prompt when exiting the program to avoid accidents and putting the program in the system tray. For people who open task manager and kill your program, I suggest either notifying the persons in charge of the labs that somebody is messing with you program or making sure the program creates save points to resume calculations when interrupted.

If you have people who literally go out of their way to kill your program (using task manager) then I doubt hiding it will help that much. If I really wanted to mess your stuff and I can't find it in the task manager, I'll just shut down windows/pul the plug. Either way, the hiding did not help.

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by yapposai
For people who open task manager and kill your program, I suggest either notifying the persons in charge of the labs that somebody is messing with you program


maybe it will be easier to find out who is doing this and get him kicked out.:)

Share this post


Link to post
Share on other sites
ToohrVyk    1596
Ask the people in charge of the labs to let you run your program as a low-priority process with your account. This way, your program will not disturb other users and other users will not be able to terminate it (it can only be killed from your own account and administrator accounts).

If the adminstrators refuse to let you do this, don't do it, period.

EDIT: My approach to this involves:

  • Launching the process as nice 19 (lowest priority) ...

  • ... with regular (4 times per hour) saving of already processed data as well as upon SIGKILL, and the ability to resume from there ...

  • ... on a currently unused computer ...

  • ... in the (usually empty) humanities computer lab.



This ensures that nobody notices my process because it it highly unlikely to disturb or annoy anyone. And should it become annoying, it "plays nice" and shuts itself down on SIGKILL after saving its data for resuming.

Share this post


Link to post
Share on other sites
Q3    100
Quote:
Original post by ToohrVyk
Ask the people in charge of the labs to let you run your program as a low-priority process with your account. This way, your program will not disturb other users and other users will not be able to terminate it (it can only be killed from your own account and administrator accounts).

If the adminstrators refuse to let you do this, don't do it, period.

EDIT: My approach to this involves:

  • Launching the process as nice 19 (lowest priority) ...

  • ... with regular (4 times per hour) saving of already processed data as well as upon SIGKILL, and the ability to resume from there ...

  • ... on a currently unused computer ...

  • ... in the (usually empty) humanities computer lab.



This ensures that nobody notices my process because it it highly unlikely to disturb or annoy anyone. And should it become annoying, it "plays nice" and shuts itself down on SIGKILL after saving its data for resuming.


Ok, I'll try that.
Thanks everybody [smile]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this