Geek Answers Handbook

Process Hidden from Process Monitor

I need to create an application that will read and write files (C ++ / MFC). but I need the process to not appear in the process monitor (which comes with SysInternals).

From the reactions of others, I now confirm that this seems "illegal." but this is a client request I'm dealing with. therefore, I think I just need to satisfy the client’s request.

+4
source share
4 answers

One of the uses of Process Monitor is the search for and removal of malicious software that it tries to hide from the user:

Process Monitor is an advanced monitoring tool for Windows that shows the real-time file system, registry, and process / thread. It combines the features of two legacy Sysinternals Utilities, Filemon and Regmon, and adds an extensive list of enhancements, including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with built-in character support for each operation , simultaneously writing to a file and much more. Its unique powerful features are the Monitoring Process of the main utility in your system troubleshooting and malware hunting tools.

I'm not saying that what you want to do is impossible, rather, you are trying to do something that seems a little dishonest.

Having said that, I would like you to think that you are trying to hide the process from a utility that was written to find anything and all the people who are much smarter than you and me.

+19
source

I assume that you do not plan to do anything malicious. If so, it is important not to hide your application from diagnostic tools. You cannot guarantee that your application will be free. Even so, you cannot predict its interaction with other applications. Because of this, you must leave it visible so that other technicians can fix the problem if something goes wrong.

As for your comment, “therefore, I think I just need to satisfy the client’s request” - not if it is illegal or technically dangerous for them. You need to protect yourself and them from bad judgment.

+17
source

PM reads data at a very low level, so to hide from it, you must actually take on certain structures and methods of the NT kernel to report other PM information than what Windows itself sees. It depends on the platform and version (i.e., Windows XP SP1 is different from Windows XP SP2 is different from Vista x64, etc.). It is almost impossible to do it right without creating an incredible amount of problems with system instability.

While this is not strictly illegal, every company that did this and was discovered (that you will) enjoyed a lot of backlash and criticism from users and security experts. Again, the implicitly illegal, required kinds of changes can open up serious security holes on end-user computers. If they have serious system malfunctions or they may be exposed to hackers / viruses, you can be legally liable for the damage.

+12
source

Perhaps the semi-legitimate (although I would not want my name to be associated with them) applications that you would like people to see are DRM watchers and nanny-cam style monitors for children and wandering spouses.

However, I do not think that your client really wants you to undermine such an important system. They probably want something less rootkit, but they raised their vocabulary by watching "24" and were unable to adequately express what they want to do.

My advice would be to return to them for clarification. If they really want something to be completely undetectable, you need to decide, proceeding from your own conscience, to continue or leave the client.

+3
source

More articles:


All Articles