Hiding the process in Windows Task Manager

Intro

Often, anonymity and secrecy play a key role in the successful implementation of any actions both in reality and in virtuality, particularly in operating systems. This article will discuss how to become anonymous in Windows OS. All information is provided for informational purposes only.

So, we will try to hide from the user's eyes in the Windows Task Manager. The way in which we will achieve this is extremely simple with respect to those that are based on intercepting nuclear (often undocumented) functions and on creating our own drivers.

The essence of the method: search for the Task Manager window -> search in it for a child window (list) containing the names of all processes -> delete our process from the list.

As you can see, no manipulations will be carried out with our process: it worked as it did and will work for itself. As a standard ordinary Windows user, as a rule, does not use any other tools to view the running processes on his computer, this will only play into our hands. The process will not be detected in most cases.
')
What was used for research:

1) Spy ++ from Microsoft (to study the hierarchy of child windows Task Manager)
2) OllyDBG to view the functions used by the dispatcher to get a snapshot of processes.
3) Actually, taskmng.exe itself (Task Manager)

For writing code, we will use the Delphi environment. Rather, Delphi will be more convenient in our case than C ++. But this is only my humble opinion.

Well, first of all we will try to find out what the list of processes is and how it works. From a half-view, it is clear that this is a normal window of the SysListView32 class (list), which is updated at a frequency of 2 frames per second (every 0.5 seconds). We look at the hierarchy of windows:



As you can see, the list of processes, in fact, is the usual window of the “SysListView32” class, which is a child of the “Processes” window (tab), which is also a child of the main Task Manager window. We have only a double level of nesting. In addition, the list has one child window of the “SysHeader32” class, which, as it is not difficult to guess, is the title (field marker) for the list of processes.
Since we have a regular list, we have a whole set of macros at our disposal to manage its contents. Their diversity, at first glance, delights. But many of them work only from the parent process, that is, in order for us to use them, it will be necessary to imitate, as if they are executed in the parent process. But not everyone has such a property, in particular, the ListView_DeleteItem macro command, which deletes an item from the list-window (the “SysListView32” class).
We will use it in the process of our application. This function receives the index of the element to be deleted by the second parameter.
Now we need to somehow figure out what kind of index the element has with the label of the hidden process in the task manager. To do this, we need to somehow pull out all the elements from the list of processes in the task manager (labels with the names of the processes) and consistently compare them with the name of the process that we want to hide.

Using macros of the ListView_GetItemText type, our actions would be approximately as follows:

1) Memory allocation in task manager process ( VirtualAllocEx )
2) Sending the Task Manager child window a message LVM_GETITEMTEXT ( SendMessage )
3) Write to the selected memory area of ​​the Task Manager information about the item in the list ( WriteProcessMemory )
4) Reading from the dispatcher’s memory the information that interests us about the process ( ReadProcessMemory )

Using this method, you can easily "shoot yourself in the foot" by counting the offset bytes from the beginning of the various structures used in the code. Also, this method will be quite difficult for those who are not very deep in WinAPI, so we immediately remove it to the side. In other matters, to find the implementation of this method on the Internet will not be difficult. Instead, I will suggest that you form your own list of processes, and already focusing on it, look for the coveted process index in the Task Manager process list.

Microsoft decided not to worry about the tool called Task Manager, and used the usual WinAPI functions to get all the processes in the system. We look at taskmng.exe superficially under the debugger:



We see the use of the WinAPI CreateToolHelp32SnapShot function.
Everyone knows that this function can be used not only to obtain a snapshot of processes, but also process flows or modules, for example. But in this case it is unlikely. It is unlikely that they will use something like the enumerator of processes ( EnumProcesses ).
We stopped at the fact that we want to create our own list of processes and look for our process in it. To do this, use the function found in the debugger. If we open the task manager on the “Processes” tab, we note that all processes are sorted alphabetically for easy retrieval. Therefore, we need to get a list of the names of all processes in the system and sort them in ascending order in alphabetical order . Let's start writing code in Delphi.

To begin with, we will create a demo window application with two timers: the first one will reshape the list with processes with the same frequency with which the Windows Task Manager does it (every two seconds); the second will trigger 1000 times per second and will serve to track the update of the list of processes in the manager and, therefore, the appearance of our hidden process. Also add a button to the form.

Code:

var ind:integer; h:Thandle; last_c:integer; procedure UpdateList(); var th:THandle; entry:PROCESSENTRY32; b:boolean; i,new_ind:integer; plist:TStringList; begin //   plist:=TStringList.Create; //    th := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS,0); entry.dwSize:=sizeof(PROCESSENTRY32); b:=Process32First(th,entry); while(b) do begin plist.Add(entry.szExeFile); b:=Process32Next(th,entry); end; //  ,    //   ,     plist.Sort; last_c:=plist.Count; //     'explorer.exe' for i:=1 to plist.Count-1 do if(LowerCase(plist[i])='explorer.exe') then new_ind:=i-1; //     if(new_ind<>ind) then ListView_DeleteItem(h,ind); ind:=new_ind; plist.Free; //        if(Form1.Timer2.Enabled=false) then Form1.Timer2.Enabled:=true; end; procedure TForm1.HideProcessButton(Sender: TObject); begin //     'SysListView32' h:=FindWindow(nil,'  Windows'); h:=FindWindowEx(h,0,nil,''); h:=FindWindowEx(h,0,'SysListView32',nil); //      Timer1.Enabled:=true; end; procedure TForm1.Timer1Timer(Sender: TObject); begin UpdateList(); end; procedure TForm1.Timer2Timer(Sender: TObject); begin //     if(ListView_GetItemCount(h)>last_c) then ListView_DeleteItem(h,ind); last_c:=ListView_GetItemCount(h); end; 

That's the whole code.
We hide, for example, in the Task Manager the process of the Task Manager itself:

Here it is:



And by clicking on the "Hide process" button, the process disappears from the list:



All traces of presence in the system are erased, and he calmly runs as usual somewhere in the depths of the processor :)

Outro

Well, I think this way deserves to exist, though it requires minor improvements. Yes, of course, it cannot be used to hide the process from the system itself, but hiding in the standard Windows tool, which is used by the lion’s share of all users, is not bad either.
I hope I managed to interest you at least a little bit with this topic.

See you later! And may the power of anonymity be with you ...