One way to detect viruses on a PC is to view running processes in the Task Manager. Not always anti-virus programs cope 100% with the tasks assigned to them. Sometimes you have to catch viruses manually.
Many viruses hide their presence in the Task Manager - they are invisible. In this case, help comes, an alternative task manager. Any of them can be downloaded online and used. Built-in Windows, its own Task Manager is not very informative and does not show any hidden processes. Third-party, similar utilities, are deprived of this shortcoming and show hidden processes. If there are no processes in the standard manager that were displayed in the analysis window of the alternative utility, then you need to pay careful attention to these processes, perhaps this is malicious applications. It is necessary to look at the manufacturer of the process, usually it is always indicated clearly and clearly, and also, how many resources this process consumes. If a lot, compared to others, then this is extremely suspicious.
Such an inspection should be done with applications turned off, so that standard processes and viruses remain, of course. It is best to do this in Safe Mode. Very well, when you just installed Windows, take a snapshot of the Task Manager page with standard processes to be able to compare the differences. Snapshot-due to a saved file with a screenshot, not a snapshot of the camera (done by pressing the Print Screen button on the keyboard, who does not know how to do this, ask in the comments).
So, let's consider the standard processes:
- Sistem - system processes without expansion eke. If such process at you with expansion is a virus disguised under system process.
- Smss.exe -process controlling the launch of user accounts. If you have one, there is currently one account session, and Smss.exe processes are more - draw appropriate conclusions.
- Csrss .exe. - The process of guiding the creation of windows, it should be, always one.
- Winlogon.exe. - Responsible for authoritarian user login. Only one.
- Services.exe. - provides the operation of the operating system services, runs on behalf of the System, also one.
- Lsass.exe. - Provides OS security, always one.
- Svchost.exe. - Running Dll-files (dynamically connected library, drivers, ActiveX controls here) user name: LOCAL SERVICE, NETWORK SERVICE and SYSTEM, must be a maximum of six.
- SYSTEM - responsible for the keyboard layout and language bar on the taskbar. There must be one.
- Explorer.exe. - Manages the desktop (shortcuts, icons, etc.), its interface. Runs once.
- Spoolsv.exe. - puts objects in the queue for printing. One. No printer - you can turn it off, the process is not critical.
- Wdfmgr .exe. - responsible for the correct operation of the media player driver, is also not a critical process.
- Taskmgr.exe. - Task Manager itself
- Well, the very last - Inactivity of the system. Shows free resources.
In the normal mode, you will have processes of running applications, drivers, except for these processes. To disable the suspicious process, select it and click Stop the process.
This is a dyne of ways, safer than say, experimenting with the system registry.
Often anonymity and secrecy play a key role in the successful performance of any actions in both reality and virtuality, particularly in operating systems. This article will discuss how to become anonymous on Windows OS. All information is provided only for the purpose of familiarization.So, we try to hide from the user's eyes in the Windows Task Manager. The way we will achieve this is extremely simple in relation to those that are based on the interception of nuclear (often undocumented) functions and the creation of their own drivers.
The essence of the method: search for the Task Manager window -\u003e search in it for the child window (list) containing the names of all processes -\u003e delete from the list of our process.
As can be seen, no manipulations will be carried out with our process: he has worked and will continue to work for himself. Since the standard ordinary Windows user, as a rule, does not use any other tools to view the running processes on his computer, this will only play us "on hand". The process will not be detected in most cases.
What was used for the study:
1) Spy ++ from Microsoft (for studying the hierarchy of the child windows of the Task Manager)
2) OllyDBG to view the functions used by the dispatcher to obtain the snapshot processes.
3) Actually, he himself taskmng.exe(Task Manager)
To write the code, we will use the Delphi environment. Rather, Delphi will be more convenient in our case, rather than C ++. But this is only my humble opinion.
Well, first of all we will try to find out what the list of processes is and how it works. From the half-eye it is clear that this is the usual window of class "SysListView32" (list), which is updated at a rate of 2 frames per second (every 0.5 seconds). See the hierarchy of windows:
As you can see, the list of processes, in fact, is a usual window of the class "SysListView32", which is a child relative to the window (tab) "Processes", which is also a child of the main window of the Task Manager. We have only a double level of nesting. In addition, the list has one child window of the class "SysHeader32", which, as it is not difficult to guess, is the header (field marker) for the process list.
Since we have an ordinary list, we have at our disposal a whole set of macros to manage its contents. Their diversity, at first glance, is fascinating. But many of them work only from the parent process, so that we use them, it will be necessary to simulate, as if they are performed in the parent process. But this feature is not all, in particular, the macro ListView_DeleteItem, which removes an item from the list box (class "SysListView32").
We will use it in the process our application. This function receives the index of the element to be removed by the second parameter.
Now we need to somehow find out what index the element with the label of the hidden process in the task manager has. To do this, we need to somehow pull all the elements (labels with process names) from the list of processes in the task manager and compare them consistently with the name of the process that we want to hide.
Using macros of the type ListView_GetItemText, our actions would be approximately the following:
1) Allocating a memory location in the process of Task Manager (VirtualAllocEx)
2) Sending the LVM_GETITEMTEXT message (SendMessage) to the task manager's child window
3) Write information about the list item (WriteProcessMemory) to the allocated area of the Task Manager memory
4) Reading from the memory of the dispatcher that information that interests us about the process (ReadProcessMemory)
Using this method, you can easily "shoot yourself in the foot", counting the offset bytes from the beginning of the various structures used in the code. Also, this method will be quite heavy for those who are not particularly deep in WinAPI, so that we will immediately remove it to the side. In other matters, it is not difficult to find an implementation of this method on the Internet. Instead, I'll suggest that you create your own list of processes, and, already oriented in it, look for the coveted process index in the list of Task Manager processes.
Microsoft decided not to steal much about the tool, called the "Task Manager", and used the usual WinAPI functions to get all the processes in the system. Surface look taskmng.exe under the debugger:
We see the use of the WinAPI function CreateToolHelp32SnapShot.
Everyone knows that "this function can be used not only to get a snapshot of processes, but also to process threads or modules, for example, but in this case it is unlikely." It is unlikely that anything like the EnumProcesses will be used here.
We decided that we want to form our list of processes and look for our process in it. To do this, we use the function found in the debugger. If we open the task manager on the Processes tab, then notice that all processes are sorted alphabetically for easy searching. Therefore, we need to get a list of the names of all the processes in the system and sort them in ascending order in alphabetical order. Let's start writing code in Delphi.
First, we'll create a demo window application with two timers: the first will re-create the list of processes with the same frequency as the Windows Task Manager does (every two seconds); the second will fire 1000 times per second and will serve to track the update of the list of processes in the dispatcher and, therefore, the appearance of our hidden process. Also add a button to the form.
Code:
var ind: integer; h: Thandle; last_c: integer; procedure UpdateList (); var th: THandle; entry: PROCESSENTRY32; b: boolean; i, new_ind: integer; plist: TStringList; begin // List of processes plist: = TStringList.Create; // Create a list of processes th: = CreateToolHelp32SnapShot (TH32CS_SNAPPROCESS, 0); entry.dwSize: = sizeof (PROCESSENTRY32); b: = Process32First (th, entry); while (b) do begin plist.Add (entry.szExeFile); b: = Process32Next (th, entry); end; // Sort it so that the indexes of the elements // match those in the task manager plist.Sort; last_c: = plist.Count; // Find the index of our process "explorer.exe" for i: = 1 to plist.Count-1 do if (LowerCase (plist [i]) = "explorer.exe") then new_ind: = i-1; // Remove an object from the list if (new_ind<>ind) then ListView_DeleteItem (h, ind); ind: = new_ind; plist.Free; // Start the update tracking timer in the process list if (Form1.Timer2.Enabled = false) then Form1.Timer2.Enabled: = true; end; procedure TForm1.HideProcessButton (Sender: TObject); begin // Looking for the child window of class "SysListView32" h: = FindWindow (nil, "Windows Task Manager"); h: = FindWindowEx (h, 0, nil, "Processes"); h: = FindWindowEx (h, 0, "SysListView32", nil); // We start the timer of process list reorganization Timer1.Enabled: = true; end; procedure TForm1.Timer1Timer (Sender: TObject); begin UpdateList (); end; procedure TForm1.Timer2Timer (Sender: TObject); begin // Find changes in the list if (ListView_GetItemCount (h)\u003e last_c) then ListView_DeleteItem (h, ind); last_c: = ListView_GetItemCount (h); end;Here, in fact, and all the code.
For example, we hide the process of the Task Manager itself in the Task Manager:
Here it is:
And by clicking on the "Hide Process" button the process disappears from the list:
All traces of presence in the system are erased, and he himself quietly runs in the usual mode somewhere in the depths of the processor :)
Outro
Well, I think this method deserves to exist, although it requires minor improvements. Yes, of course with its help you can not hide the process from the system itself, but hiding it in the standard Windows tool, which is used by the lion's share of all users, is also not bad.I hope that I managed to get you interested in this subject at least a little.
See you later! And may the power of anonymity be with you ...
Tags:
The Spy hides its location, hides its process and hides its service in the system. But it's not all surprises. He knows how to defend himself, blocking all possible ways to complete his processes and delete files. The spyware does this in case you find them. However, simple ways to detect the presence of a spy in the system is impossible. For this reason, many users lose personal information without even realizing it.
In order to find out whether you are being watched with this spy or not, it's useless to view standard monitors, trying to find it manually or by scanning the system. When testing, anti-viruses do not detect a spyware program, so the user gets the impression that everything is in order.
To detect shadowing, go to the System Process Monitor. Then open the "Hidden Process Monitor" by clicking on the "Hidden Processes" button. In the window that opens, the processes that hide themselves from the system are highlighted in red.
All In One Keylogger is detected. Add the process name to the threat database through the context menu of the program. In different tested systems, the spy had different process and file names. When you try to end a hidden process, you will receive an error message. You can get into the folder with the spy application through the item in the context menu, otherwise it will not work. You can not use its uninstaller either - the spy protects itself from deletion, which means that there are other processes in the system that control the situation with the spy's work. Open the "Hidden Services Monitor" (only in Pro versions) in the "System Services" window. Anyone hiding from the system of the service will be highlighted in red. In the standard version of the list of system services, this shadowing can not be detected.
A hidden service from a spy All In One Keylogger is also detected. This service and process protect themselves and do not stop. Add it to the threat database through the context menu. The first task is done - surveillance has been detected. Now you know for sure that you are under surveillance.
To remove the spy All In One Keylogger, go to the COVERT security platform by clicking on the button labeled "Login to the protection platform."
In the "Processes" window, you will see the processes highlighted in red. Through the context menu, complete them. In the platform of protection, a spy can not hide and defend himself.
Then open the "System Services" window. In the standard list of "Active Services", through the context menu, stop and delete the service marked in red (or in the list "All services" it can be highlighted in yellow). In the platform of protection, a spy can not hide and defend himself.
After the action is taken, exit the protection platform and delete the spy folder with the files. It will no longer be hidden and protected.
If you have a version of COVERT Base or COVERT USB that do not have the "Hidden Service Monitor" feature, to disguise your actions from the Spy All In One Keylogger, go to the COVERT security platform and work with any applications. The spyware will not be able to retrieve data about your activity while you are inside the platform of any version of the COVERT program.
Programs that are in the active state on the computer can always be viewed by opening the "Task Manager". However, sometimes it can happen that you will need to make the execution of some program invisible. If you also have this desire, you will probably start looking for an answer to the question of how to hide the process in the Windows Task Manager.
Learn how to hide the Windows Task Manager process
Of course, the anonymity of some programs will allow tracking those who are excessively cluttering a personal computer. Especially such surveillance is important, when access to the PC has several users.
Also, the desire to hide the process arises also among those who establish their own program and seeks that advanced users can not easily identify its presence.
Any execution of a program is a process that needs a certain part of the RAM. Processes are divided into:
- system;
- anonymous;
- custom;
- connected with the Internet.
It is not recommended for those who do not have practical experience and necessary technical knowledge to interfere with system processes, since such unreasonable implementation can provoke extremely undesirable consequences. One of such consequences can be a failure of the subsequent start of the operating system.
You can learn how to hide any user programs, and you do not need to make great efforts, you should carefully read our recommendations. We emphasize that even an advanced engineer who is unaware of your "creative activities" will not be noticed simply by the "left" process.
Algorithm of actions
If you needed to hide a software application, you first need to figure out whether it is simple, whether it does not start additional processes that are capable of simply issuing it, no matter how hard you try to hide the program.
If, indeed, your program is simple, if it is displayed in the Task Manager as the only line, we suggest the simplest way to hide the process. To do this, you just need to rename it.
So, we'll help you figure out how to rename the process in the Task Manager so that the program continues to function perfectly in anonymous mode.
Step 1
Initially, you should go to the folder where the executable file of the specific program is located. If you know where it is located, then use the familiar "route" by opening the "Computer" window, going to the system drive C, and then proceeding to its root folder.
If you do not know where the executable file is hiding, do not worry, you just need to find this process in the list displayed in the Task Manager, right-click on it, and then select the "Open file storage" line in the window that opens.
Step 2
After such your actions, the folder you are looking for will open, it remains for you to find the executable file. The search will be easy, because this file has exactly the same name as in the list of processes in the Task Manager. In addition, this file has the extension "exe".
Step 3
To rename a file, right-click it again, and then select the "Rename" line. Now that you have managed to assign a new name to your software application, open the "Task Manager", see that this renaming has also been displayed there.
Of course, from what name you come up with, it will depend on how much your program will become "veiled" for other PC users. An unfamiliar process with a new name will even more quickly provoke suspicion and force the technical engineer to figure out what kind of program works for the PC.
For this reason, many experienced users recommend coming up with names that do not arouse any suspicion at first sight.
In particular, the open Chrome browser creates several processes simultaneously, just like Windows. It is advisable to take the same name for the process, but since the system will not allow two processes of the same name to work simultaneously, it is recommended that using a small trick at renaming. Instead of some English letters in the title, it seems as if chance to register Russian. Outwardly, it is impossible to distinguish Russian letters from English letters, but the system will be different, so it will be possible to work with programs with conditionally identical names.
Outcomes
So, as you managed to notice how to make an application software anonymous, you can without any difficulties. Of course, there are still quite advanced ways that can more securely hide any process, but they are based on writing complex codes, programming skills. If you do not set such complicated goals for yourself, then hiding working software applications by renaming is an acceptable option.
Having opened the "Task Manager", the Windows user can see what's happening in the system processes and close those that seem suspicious to him. To protect their programs from detection, the authors of Trojans and ad-aware try to hide them in every conceivable way processes.
Instructions
To make the most of the capabilities of the "Task Manager", you should configure it correctly. Open the utility (Ctrl + Alt + Del), select "View" - "Select Columns". Mark the birds: "Process ID", "CPU load", "Memory - use", "USER objects", "User name". You will not be able to see the hidden processes, but more detailed information about the visible is also very useful. For example, many simple Trojan programs are masquerading as svchost.exe. The original process in the "User Name" column is marked as SYSTEM. The Trojan process will have Admin status, that is, it is running as administrator.
To conceal their presence from the "Task Manager" is now capable of virtually any competently written Trojan program. Can it be found in this case? Here special tools come to the rescue, allowing to reveal hidden processes. Very convenient program AnVir Task Manager, allows you to identify many dangerous programs. The program has a Russian interface, it can be downloaded for free on the Internet.
Very good opportunities for finding hidden processes have a simple and easy-to-use program Process Hacker. With this utility you can see the running processes, services and current network connections.
One of the best programs for finding hidden processes is Spyware Process Detector, its trial 14-day version can be downloaded from the link at the end of the article. The program has a wide range of mechanisms for searching for hidden processes, which distinguishes it from many other similar utilities.
A useful tool in the fight against Trojan programs can be a small utility HijackThis. The utility is designed for a fairly experienced user. A guide to its use you can see below, in the list of sources.
