hide process from list views
Author
I am in the process of writing an anti-hacking program for a friend, but i'm stuck at one point.
I'm using LVM_FINDITEM and LVM_DELETEITEM to remove the listing of this program and the game client from task manager. the only problem is. it only works for task manager any other program (such as cheat engine) still show the process.
so basicly my question is, how do you hid a process from all list views(basicly not registering the process with windows). Programs such as game guard do this, so i know its possible. I just have no clue how to do it.
thanks for any help
Feral
You'll find a lot of people on here very unwilling to help you with this, and I would be one of them.
Regardless of what you claim the reason to do this is, it is very very dodgy for any kind of program. Even if you don't have a malicious intent, there are others who will come across this who may have a malicious intent, and any answer posted here would be available to them as well.
I suggest going in another direction such as preventing the process from being ended, instead of hiding it. That way, at least if the knowledge gets to those who shouldn't have it, then people can still see that the process is there, and know if they have a worm etc.
Regardless of what you claim the reason to do this is, it is very very dodgy for any kind of program. Even if you don't have a malicious intent, there are others who will come across this who may have a malicious intent, and any answer posted here would be available to them as well.
I suggest going in another direction such as preventing the process from being ended, instead of hiding it. That way, at least if the knowledge gets to those who shouldn't have it, then people can still see that the process is there, and know if they have a worm etc.
You'll need a kernel module to do what you want. Have you written any device drivers before? Every process is represented in the kernel by a special structure. One of the members of that structure serves as a node in a linked list that connects that structure to the structures of every process. To do what you want you'll need to unlink the node for the target process from that list.
If you're not down for all that, you'll need to establish a system wide hook to inject a dll into every process and then have that dll hook the toolhelp functions as well as a few other ones that I don't recall the names of off the top of my head. Other methods are even worse.
At any rate, user mode approaches can be circumvented by utilities that read the kernel structures through a device driver.
If you're not down for all that, you'll need to establish a system wide hook to inject a dll into every process and then have that dll hook the toolhelp functions as well as a few other ones that I don't recall the names of off the top of my head. Other methods are even worse.
At any rate, user mode approaches can be circumvented by utilities that read the kernel structures through a device driver.
Author
@ iMalc, i expected answers like yours, so i'm no suprised. and i do agree that this type of programing could be use for malious perpouses. but the whole point of this program is to prevent, among other things, dll injection into this program, and the game client that it is protecting. and yes i could have taken this qustion to another forum, but i wouldn't have gotten the type of help i was looking for.
my advice for you is to be more optimistic about helping people.
@ LessBread, i was thinking somewhere along thoes lines. I dont have that much experience with device drivers, but theres a first time for everyting, and i'm willing to learn.
i do not like the option of injecting a dll into every process as its run, seems to shady for my taste.
thanks for the help.
to change the topic of the post, i had one more question that relates to injection a dll into every process(and i think it would still come down to kernal level).
one of the other programers working on this project is actually wrighing a program that does what was siad(injects into every process), hes doing this to see if any of the running processes make a call to the game client(either by process or by window name) wich in turn will kill the client.
so my question is, is there any way from with in the client(through a dll) to detect if any outside program is trying to access it or inject something into it.
i also should mention that this is a mod project of an existing game so we dont have access to the source of the client. but we do have permision to use it.
my advice for you is to be more optimistic about helping people.
@ LessBread, i was thinking somewhere along thoes lines. I dont have that much experience with device drivers, but theres a first time for everyting, and i'm willing to learn.
i do not like the option of injecting a dll into every process as its run, seems to shady for my taste.
thanks for the help.
to change the topic of the post, i had one more question that relates to injection a dll into every process(and i think it would still come down to kernal level).
one of the other programers working on this project is actually wrighing a program that does what was siad(injects into every process), hes doing this to see if any of the running processes make a call to the game client(either by process or by window name) wich in turn will kill the client.
so my question is, is there any way from with in the client(through a dll) to detect if any outside program is trying to access it or inject something into it.
i also should mention that this is a mod project of an existing game so we dont have access to the source of the client. but we do have permision to use it.
Quote:Original post by FeralrathI'm glad you understand the position many of us take on this. I had a feeling you would.
@ iMalc, i expected answers like yours, so i'm no suprised. and i do agree that this type of programing could be use for malious perpouses. but the whole point of this program is to prevent, among other things, dll injection into this program, and the game client that it is protecting. and yes i could have taken this qustion to another forum, but i wouldn't have gotten the type of help i was looking for.
my advice for you is to be more optimistic about helping people.
About your advice though, I've actually seen a number of people on other forums trying to obtain similiar information until it was discovered that it really was for malicious purposes. Such as when you ask for source code snippets, they forget to take out dead-giveaway comments etc.
I also hope you really took note that it isn't necessarily you that could have malicious intent. You certainly don't have to be a registered user to merely view these forums, and they do show up on google eventually.
One thing I hope you've also considered is that the best way to protect against such things is actually to wait until someone does invent some cheat, and then see how it works, at which point it should then be obvious how you can prevent it. I.e. Let the hacker do the hard work for you![smile]
You can only go so far with pre-emptive measures.
I'm afraid I also don't actually have any advice pertaining directly to assisting with the questions supplied, beyond what LessBread has already provided. However, I wish you luck all the same.
Quote:Original post by Feralrath
i was thinking somewhere along thoes lines. I dont have that much experience with device drivers, but theres a first time for everyting, and i'm willing to learn.
Then the buzzword to be researching is 'rootkit'. The methods are very well documented on the web, but it's still no mean feat to produce an effective rootkit. Particularly when most antivirus software holds a zero-tolerance policy on IDT and LKM table re-routing. While I can't speak for the rest of the members here, I'd be prepared to give you a little help on specific queries, but nobody will walk you through the rootkit-writing process.
Quote:is there any way from with in the client(through a dll) to detect if any outside program is trying to access it or inject something into it?
There are several. Perhaps one of the cleanest would be to hook kernel32!LoadLibraryExW (or ntdll!LdrLoadDLL) and check that the module name being passed is in your user-defined white-list. This will protect against first-order DLL injection. Of course, if the hacker is coding their patch with your program in mind, you're powerless. There are other methods the hacker can use to inject code into your process, each with its own countermeasures, but we'd be here all day, trying to describe them in detail.
Admiral
Poke around here: www.rootkit.com.
Note the handgun graphic in the corner of that website. I think that's there to say that rootkits are akin to deadly weapons, so be forewarned.
Note the handgun graphic in the corner of that website. I think that's there to say that rootkits are akin to deadly weapons, so be forewarned.
Author
Thank you all, i just picked up a couple books on rootkits today after your advice yesterday(will check out the link too).
@iMalc, to be honest, i would have been sadly disapointed if i didn't get some negative feedback on this post. =)
@TheAdmiral, thankyou for the offer, if i need any pointers i'll contact you. I dont like to be walked through anything, but a helping hand is always welcome. one of the bigest problems in trying to protect the cleint is that the game maker released the pdb file by acident. so most of the hackers have dumped it and know the exact syntax of each command =(.
@LessBread, lol thanks for the warning, fortunitly i dont program on my main computer so reinstalling the os if i mess things up isn't that big of a problem.
once again, thanks for the help.
@iMalc, to be honest, i would have been sadly disapointed if i didn't get some negative feedback on this post. =)
@TheAdmiral, thankyou for the offer, if i need any pointers i'll contact you. I dont like to be walked through anything, but a helping hand is always welcome. one of the bigest problems in trying to protect the cleint is that the game maker released the pdb file by acident. so most of the hackers have dumped it and know the exact syntax of each command =(.
@LessBread, lol thanks for the warning, fortunitly i dont program on my main computer so reinstalling the os if i mess things up isn't that big of a problem.
once again, thanks for the help.
Quote:Original post by LessBread
Poke around here: www.rootkit.com.
Note the handgun graphic in the corner of that website. I think that's there to say that rootkits are akin to deadly weapons, so be forewarned.
Quote:Original post by Feralrath
@LessBread, lol thanks for the warning, fortunitly i dont program on my main computer so reinstalling the os if i mess things up isn't that big of a problem.
I'm not sure the warning is about messing up your system. Remember the Sony rootkit? Its purpose was to protect Sony's copyrights, however (according to Wikipedia): Sony is being sued by the states of Texas, New York, and California. The U.S. Department of Justice has not ruled out taking criminal action against Sony. The matter is being investigated by the state of Florida. Sony is being sued by Italy.
There is no reason to assume that you would be immune to the same kind of treatment.
Author
ahh, i see your point. i dont know if this is the way that i'm going to go with it or not. still looking up other options.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
