11/24/2019 malware - Hiding process from Task Manager - Information Security Stack Exchange

Hiding process from Task Manager [closed]

Asked 5 years, 10 months ago Active 4 years, 5 months ago Viewed 16k times

What technique is used to hide a process from Task Manager? I'm currently researching ways I can
do this in C++. Is this process called hooking?
7 http://www.codeproject.com/Articles/3978/Trap-CtrlAltDel-Hide-Application-in-Task-List-on-W

The book I am self-studying from: RootKits: Subverting the Windows Kernel

4 malware c++

edited Jan 6 '14 at 22:05 asked Jan 6 '14 at 21:50

Quaxton Hale
257 1 3 8

closed as too broad by Xander, tylerl, Steve, Adi, user10211 Jan 7 '14 at 3:32
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid
asking multiple distinct questions at once. See the How to Ask page for help clarifying this question.
If this question can be reworded to fit the rules in the help center, please edit the question.

1 Answer

The rootkit replaces the legitimate call to EnumProcesses() with the address of its own
implementation. Its implementation calls the original, but before it returns the list, it removes any
7 mention of the processes it has been told to hide.

While the behavior and outcome are similar, I consider hooking to be slightly different, because it can
be done legitimately. Hooking is generally done through an officially supported API, and the OS
tracks all such hooks so it can undo them when the hooking process is terminated. A description of
Microsoft's hooking mechanism can be seen here. Malware instead often directly modifies the
memory without notifying the OS.
By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service. edited Jun 8 '15 at 19:57 answered Jan 6 '14 at 22:42

https://security.stackexchange.com/questions/48184/hiding-process-from-task-manager 1/2
11/24/2019 malware - Hiding process from Task Manager - Information Security Stack Exchange

John Deters
30.3k 3 48 101

So why don't malware use hooking? – Pacerier Jun 8 '15 at 16:26

@Pacerier, there are multiple ways to achieve the outcome. Legitimate software uses "hooking", as described
above. Malicious software might use the hooking APIs, or it may simply search modify the binary value of the
current API's entry point, and roll their own hook. The advantage of using the published API is that it's
supported on all platforms. The disadvantage to the malware author of calling the official API is that calling the
CBT hooks is detectable as potentially suspicious behavior. – John Deters Jun 8 '15 at 20:02

I like this a lot, can you help code this or give a link to a sample code. With which hook type do we achieve this
with? From what I can see we are calling SetWindowsHookEx() function. @JohnDeters – turmuka Nov 22 '17
at 7:30

msdn.microsoft.com/en-us/library/windows/desktop/… gives example code for using hooks. Hooking can be

used to intercept the various types of Windows messages; a keylogger may use hooks to peek at keystroke
messages, for example. But the legitimate hooking techniques can't be used to replace Win32 calls like
EnumProcesses(). That can only be done by memory tampering. – John Deters Nov 22 '17 at 22:06

@JohnDeters What do you mean my "modifies the memory"? Is it still using hooking? Or are you saying that it
basically does the same thing as hooking without calling the official APIs? – ng.newbie Jul 14 '18 at 19:04

By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.

https://security.stackexchange.com/questions/48184/hiding-process-from-task-manager 2/2