How to detect hidden processes

Question

How to detect hidden processes

I wonder how an application like "Process Explorer" or "Combo Fix" detects a hidden process? I assume this should be done in C or C ++. Its easy enough to access the list of processes even in .NET, but it's not always accurate, I know that root sets can be masked from the task manager. Is it memory access and I / O? Curious if anyone knows how to do this.

+1

c ++ c windows

bumble_bee_tuna Jan 14 '12 at 21:19

source share

1 answer

Mike Kwan · Accepted Answer · 2012-01-14T21:28:39+0000

This question cannot be answered. It depends on how this process was hidden in the first place. For example, someone might hide a process by introducing a usermode dll to all processes that intercept EnumProcesses, Process32Nextetc. And all other APIs related to process listing. This would be bypassed by a trampoline that misses the hook.

However, if the process was hidden by modifying the linked list of the kernel EPROCESS, which contains the list of processes, then another method would be required to undermine the code that performed the hide. If you determine how you think the process is “hidden”, perhaps we can suggest how to detect it. Which processes, in your opinion, are hidden, but Process Explorer is still detected?

, , . ?

, , , , . , , EnumProcesses. , . , EnumProcesses . , , IAT, EnumProcesses, VEH EIP/RIP .. .. , . , usermode API, .

, , , . , , .

, , .

, , :

Dynamic (Runtime) Detouring - , Microsoft Detours. , .
(Static) Binary Rewriting - , . . ( ) Windows, , - Etch. , .

, Detours , , . IAT , . " ", "", .

How to detect hidden processes

More articles: