Vb: Hide/mask A Process

[Mike_Wilson]

I wondered if there was anyway to create a program that will hide a process, I have an .exe I didnt create so its compiled and I wondered if there was any way to hide the .exe from the process list so it cant be monitored? Anyway to hide a external .exe from process list?

thx for any help

mike

[dman]

First, please explain why you want to do this or you probably won't get any help.

[Madars]

I wondered if there was anyway to create a program that will hide a process, I have an .exe I didnt create so its compiled and I wondered if there was any way to hide the .exe from the process list so it cant be monitored? Anyway to hide a external .exe from process list?

On 9x based system this can be done with simple API call (see article at Borland.com). I think it is quite impossible to do this in "normal way" for NT based systems.

[Mike_Wilson]

yes there is a way to do it with RegisterServiceProcess API but this only works on 9x as you stated and the following error on NT based: Cant find Dll entry point.

My friend is testing a process scanner to check what programs are running and he said if anything is run it will be picked up, I said if the process is hidden then it wont be found by his scanner which is what im trying to do.

I got some code which will hide the process and rename them to different process names such as explorer etc, I have being trying to change this so it will hide an external exe, Ive attached it if anyone wants a look.

thx for any help

mike

icanhide.zip

[dman]

It is not possible to hide process under NT. This is for security reasons, and why MS removed this function from API. Have you tried running the exe as a service via srvany.exe from NT resource kit? The srvany exe will show up in the process list, but not the target exe.

[Mike_Wilson]

I tryed using svrany and it didnt seem to work using the NT method, it wouldnt start got half way along and stopped.

Is running an app as a service just like running it normally but it doesnt get shown as a process?

[Mike_Wilson]

I got it working but both the program and svrany.exe run in the process list under SYSTEM so its pretty pointless

[dman]

Your "icanhide" code is very clever, also kinda scary. It looks like it renames a program that is known to always be running (explorer) to the generic "svchost", then disguises itself as explorer. It looks like it wouldn't be too hard to modify this code to hide not only the icanhide program itself, but to find the next running process, also disguise it as svchost and then hide another external process specified in the icanhide code. (or just hide the external target as svchost)

It also looks like this will only hide things from task manager, not a custom scanner.

Any way you do it you have "something" running in the task manager. Don't think it's possible to completely hide, only disguise.

It is well that it is so hard to do this, or virus writers would have used it to render Windows completely unusable.

[Mike_Wilson]

ye i played with it and managed to rename the process but it is only renamed in taskmanager and I see what you mean

looks like your unable to do what I want under NT

[Martin Zugec]

Well, you can - it is called rootkit BTW interesting piece of code..

[tap52384]

is there anyway to do that using vb .net?

[LLXX]

is there anyway to do that using vb .net?

Probably impossible. First of all, it's VB, which isn't really a language for low-level systems programming. Secondly, it's .NET, which imposes more restrictions on the execution environment.

Rootkits are coded in C/Asm, even sometimes Delphi, but never in .NET

[RogueSpear]

It's quite easy to make your own service in .NET. I suppose you could make a service that appears similar to a legit service. Hiding in plain sight.