How Hide Self Process

[JFOC]

Hello,
Anyone know how to hiding own process from taskmanager?

thank you

[thomas_remkus]

Maybe if you outlined what you needed or your general goals ...

[BogdanOntanu]

Tell me this: What is the purpose of hiding your process from taskmanager?

[JFOC]

hide process on winxp and win9x.

Need to hide for internet cafe computer billing, so our customer cannot see and kill the process. Ctrl+Alt+Del are active because the application runed by customer sometimes hang.

thank you

[BogdanOntanu]

This is a questionable programming practice.  AV software that runs on your internet cafe computers will detect such an activity as malware and might remove your billing software if it tries to hide itself.

Since you are in control and administrator of the computers I do suggest another method: make your billing software talk periodically to your local network billing server with encrypted messages. If your own messages do not come every 1s to your own billing server then shut down the offending computer that does not respond.

This way you are sure that the billing software is up and running on the billed computer or the user is not able to use the computer.

[JFOC]

Sending messages from every computers for 1s is tkae much network resource, since we have 300 computer, and more in the future, this is impossible to monitor every computers periodicly, the most simple way is make the process hided so customer cannot kill the billing application were made.

Thank you

[JFOC]

We do not use antivirus just using software for auto-restore the computer data state every booting time. We every computer using network boot

[xmetal]

It seems to me that, one can only select one process at a time, to terminate through the task manager. Assuming the user has no other way to terminate processes and that the speed of user interfacing is slower than background processing, one can create two processes which monitor each other so that if one of them "dies" it can be "reincarnated" by the other.

Create a "support" application whose sole purpose is to wait on the handle of your main billing process. If the billing process is terminated, have it re-created by the support process. Of course, you will need to have another IPC mechanism in place to indicate that a "graceful" shutdown is taking place. Also, you will need to create a thread in your main billing process which waits on the handle of your support process.

You should be able to work out the details of passing the handles around and other inter-process communication issues.

[sinsi]

Funny how often "internet cafe billing" programs need to be hidden, or the keyboard locked...why don't these programs do it themselves? and why is asm the best way?

I'm sure that 300 computers (wow, big cafe) sending a packet to the server every second ain't going to slow the network that much.

It seems to me that, one can only select one process at a time, to terminate through the task manager. Assuming the user has no other way to terminate processes and that the speed of user interfacing is slower than background processing, one can create two processes which monitor each other so that if one of them "dies" it can be "reincarnated" by the other.

Just like spyware does...(I'm not accusing anyone of this. I can see the value of it - NAV does monitoring on its other processes)...but an interesting first post. :bdg

[BogdanOntanu]

but an interesting first post. BadGrin ...

Clearly... that is why I jumped in and started monitoring it :D

But the guy was not capable to offer a decent logical explanation for his intention (the 300 PC's with no AV argument made me laugh also)... so I wanted to see how he did "evolved" while being under "moderated pressure" ...

I also do not like the dual process monitor idea and again some AV do pick on it also (of course AV's do know each other).

Of course the network will not be loaded by a once in a while UDP encrypted packet and besides you will have to do this anyway in a 300 PC network. You do not really want to walk physically to each computer.

Another correct solution IMHO would be an PCI card that will receive the watchdog communication packets via ports and not via network. Again if the billing software does not send the periodical  "I am still standing" message info then the PCI card can restart the PC. This is clearly beyond the average user knowledge and could not be hacked fast enough because it is hardware after all.

[ecube]

for nt-xp look up the dkom kernel unhooking method, for 9x use RegisterServiceProcess undocumented api. For those who are against answering questions such as these, there is no security in obscurity,i'd be much better if these methods be known then trying to kept secret, anyone in security already knows about them anyway, and majority av's etc... do too.

[BogdanOntanu]

For those who are against answering questions such as these, there is no security in obscurity

Nobody is really trying to keep them secret. There is no such think as "secret" with the internet. The OP would have found thousands of links for this on Google, other reverse like forums have examples, etc.

However this forum is NOT oriented towards such questionable (but sometimes useful) practices. This forum is oriented "slightly more" towards creating programs by using standard programming practices. The reason for this is that the link between questionable things (Vx, hacking, cracking, reverse, etc) and ASM does harm ASM programming more than it helps.

Because of this I preferred to explore alternative solutions instead to giving the OP the exact answer in such a "gray" area. If he does not have the brains to do a simple Google search then maybe it is better not to answer him. And beeing his first post and the way he avoided alternative solutions is... priceless.

However you can answer it if it does not break the rules and in fact you just did ;)

It is a little like giving a small kid a loaded gun and then saying that it is not your fault that he did shoot with it. Maybe it is not your fault but are you sure that you helped him? I know that your ego is boosted because you of all those that "avoided" did answered him... Do you feel better now when you check the Google links for your "concepts" ?

Of course that will not really work because AV will peek them up from kernel mode and the user can run a lot of tools that show such "hidden" applications and have an option to terminate them for the users's protection.

But that is complicated, you have to use undocumented features and structures that will change with the next service pack or OS version and it generates crashes and hard to fix bugs and again it gives ASM a bad name.

In conclusion I do not answer such questions in gray areas not because I believe this provides any kind of "security by obscurity" but instead because I consider it is the correct thing to do and it helps the OP understand if he has good will.

[P1]

Write the program to run as an service, so that you can not stop it from the Task Manager.

You may want to put some password on the code, so it does not process a stop command with out it.

Regards,  P1   :8)