在Windows NT TaskManager（工作管理員）中隱藏程式（進程）

From： http://w-shadow.com/blog/2006/09/21/hiding-from-nt-taskmanager/

 

Here and there, people keep asking - “How do I hide my process in Windows NT/2000/XP?”. Nearly everyone knows how to do that on Windows 95/98, but there is no definite answer for NT-based systems. So today I’ll give you a short summary of four methods that can be used to hide your process on NT…

Warning : This information is intended for educational purposes only!

DLL Injection
The simplest ways to hide a process is to have no process Basically what you need to do is place your meaningful code in a DLL, inject that DLL in an inconspicuous process (like Explorer.exe) and run your code. This can be fairly easily achieved by CreateRemoteThread() API function. I have created a sample application & DLL that demonstrate this approach.
Download wsHideDLL.zip (10 Kb, Delphi)

Good : Simplicity, doesn’t affect system stability very much.
Bad : Works only on NT.

API hooking
On NT systems process list is often obtained by calling NtQuerySystemInformation() API function. If you hook this function, you can make you process invisible to other processes. You can similarly hook Process32Next and other functions on other Windows versions to achieve the same result. The problem usually is that API hooking is a non-trivial task, so most likely you’ll end up looking for premade libraries… which are damn expensive.

Good : Depends on hooking method/library. No special considerations for your application (unlike when writing and injecting a DLL).
Bad : Depends on hooking method/library.
Links :
    Description of some APIs you could hook
    Hooking WinNT/2K/XP API
    madCodeHook library
    Hook-API SDK

Writing a driver
Drivers can do anything, so there surely is a way create a custom driver that will hide your process. There is an example of a driver like that and a program using it here (C and Visual Basic). Apparently there is an internal process list in Windows OS that can be modified by this driver. Good luck trying to understand this code

Good : Extremely effective.
Bad : Hard to port, messing with OS internals can cause it to crash. Writing a driver is a complex task.

Hacking TaskManager itself
An ingenious way to solve the problem of hiding your process is to delete it from the “Processes” tab in Task Manager, literally. The list is a SysListView32 control and you can use SendMessage() to tell it to delete specific items. Read the article here : Hack Windows Task Manager.

Good : Clever. I didn’t realize it could be done like that.
Bad : Works only on Task Manager.

I hope this article was useful to you

Related posts:

• Writing Drivers in Delphi
• Process memory usage
• GTrends For The Lazy
• Two interesting ideas
• wsKillHung application
• How to get the CPU usage of a process
• Obscure CreateRemoteThread Problem