7

What technique is used to hide a process from Task Manager? I'm currently researching ways I can do this in C++. Is this process called hooking?

http://www.codeproject.com/Articles/3978/Trap-CtrlAltDel-Hide-Application-in-Task-List-on-W

The book I am self-studying from: RootKits: Subverting the Windows Kernel

Quaxton Hale
  • 267
  • 2
  • 3
  • 8

1 Answers1

7

The rootkit replaces the legitimate call to EnumProcesses() with the address of its own implementation. Its implementation calls the original, but before it returns the list, it removes any mention of the processes it has been told to hide.

While the behavior and outcome are similar, I consider hooking to be slightly different, because it can be done legitimately. Hooking is generally done through an officially supported API, and the OS tracks all such hooks so it can undo them when the hooking process is terminated. A description of Microsoft's hooking mechanism can be seen here. Malware instead often directly modifies the memory without notifying the OS.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • So why don't malware use hooking? – Pacerier Jun 08 '15 at 16:26
  • @Pacerier, there are multiple ways to achieve the outcome. Legitimate software uses "hooking", as described above. Malicious software might use the hooking APIs, or it may simply search modify the binary value of the current API's entry point, and roll their own hook. The advantage of using the published API is that it's supported on all platforms. The disadvantage to the malware author of calling the official API is that calling the CBT hooks is detectable as potentially suspicious behavior. – John Deters Jun 08 '15 at 20:02
  • I like this a lot, can you help code this or give a link to a sample code. With which hook type do we achieve this with? From what I can see we are calling SetWindowsHookEx() function. @JohnDeters – turmuka Nov 22 '17 at 07:30
  • https://msdn.microsoft.com/en-us/library/windows/desktop/ms644960(v=vs.85).aspx#installing_releasing gives example code for using hooks. Hooking can be used to intercept the various types of Windows messages; a keylogger may use hooks to peek at keystroke messages, for example. But the legitimate hooking techniques can't be used to replace Win32 calls like EnumProcesses(). That can only be done by memory tampering. – John Deters Nov 22 '17 at 22:06
  • @JohnDeters What do you mean my "modifies the memory"? Is it still using hooking? Or are you saying that it basically does the same thing as hooking without calling the official APIs? – ng.newbie Jul 14 '18 at 19:04
  • Yes, I'm saying rootkits modify the memory in a way similar to how hooking works, but without calling the official API. – John Deters Jul 15 '18 at 03:46