0

I'm using an app right now that for some reason reads all my processes. Is there a way for me to prevent this from happening? Or maybe hide 2-3 processes I have? I'm using Windows 10 64 bits

Thanks in advance. (I post this in security because it is a security problem for me)

Kyuuri
  • 15
  • 1
  • 4
  • 2
    What operating system are you using? With Linux, there's `hidepid=2` for `procfs`. – forest Apr 24 '19 at 00:14
  • Oh sorry, I forgot. Windows 10 64 bits. – Kyuuri Apr 24 '19 at 00:16
  • What do you mean it reads all of your processes? How have you discerned this? – Polynomial Apr 24 '19 at 00:23
  • A game master from this game told me exactly every process name I had opened. Also he took an screenshot of my desktop and sent it via discord. I prevented screenshots using ScreenWings but idk how to prevent the process thing – Kyuuri Apr 24 '19 at 01:51
  • 1
    If he took a screenshot of your desktop, it means he has spyware (or something equivalent) on your computer. Get rid of it or he will be able to do a lot more. – forest Apr 24 '19 at 03:25

2 Answers2

2

In General

You can not do this easily as a user.

Windows provides an API which does not require elevated privileges to get this list of running processes: https://docs.microsoft.com/en-us/windows/desktop/api/Psapi/nf-psapi-enumprocesses

Technically you could hide your process by hooking (read: replacing) this API with a version that strips your app info, but this is a pretty substantial effort.

In Your Case

It sounds like from your comments that someone has remotely been able to take screenshots and get the process list. This is bad news. There are two primary cases:

  1. The game you are using has vulnerabilities which enable this this other person to execute some code on your machine.
  2. This person has somehow managed to install some kind of spyware on your machine.

Both are bad, and it isn't easy to figure out which is the case. I suggest removing the game and running your malware/spyware removal tool of choice (Windows Defender is a good start).

Josiah
  • 231
  • 1
  • 8
0

Here is what i would step by step if I were in your case:

  1. Check what dll's are used by the application.
  2. Run procmon (for endpoint activity) and wireshark (for network activity). Try and find what process its trying to find and which IP address its trying to send the data.
  3. If i can establish the target dns/ip to which your screenshots were exfiltarted , block it your local firewall as well as router.
  4. Shim the PsApi!EnumProcesses API for your application using MS detours. Since it looks like a malware, it is probably searching for AVs or any evasion

p.s. all the above steps require intermediate level of expertise in windows development and basic networking.

Ashutosh Raina
  • 369
  • 3
  • 8