22

Can malicious software hide itself, so its activity doesn't appear in the list of processes from Task Manager? Can it hide itself so when someone is controlling your computer, even if you open Task manager, you won't see any suspicious activity?

If yes, how can it do that? What techniques can be used to hide in this way?

D.W.
  • 98,420
  • 30
  • 267
  • 572
Steve
  • 259
  • 3
  • 7
  • 13
    Short answer: yes. – tangrs Mar 23 '15 at 08:40
  • 4
    Long answer: [yes](http://security.stackexchange.com/a/84391/39856) – Cole Tobin Mar 23 '15 at 15:52
  • What research have you done? We expect you to do some research before asking here. This topic is covered well by the [the Wikipedia article on rootkits](https://en.wikipedia.org/wiki/Rootkit), which explains how malicious software can hide itself. – D.W. Mar 23 '15 at 19:39
  • There are several other questions here that provide information about this topic. See, e.g., [How effective is Windows Task Manager at identifying keyloggers?](http://security.stackexchange.com/q/24848/971), [How to find processes that are hidden from task manager](http://security.stackexchange.com/q/76100/971), [Hiding process from Task Manager](http://security.stackexchange.com/q/48184/971), [Task Manager and Keyloggers](http://security.stackexchange.com/q/33295/971), [What is a rootkit?](http://security.stackexchange.com/q/10369/971), (continued) – D.W. Mar 23 '15 at 19:48
  • [How would one know if they have a rootkit?](http://security.stackexchange.com/q/44208/971), and [Can malware hide their network activity from Resource Monitor (perfmon)?](http://security.stackexchange.com/q/29824/971). I recommend that you read the answers there, as they seem to answer your question. Did you try searching here before asking? For the future, we encourage you to use search here on this site, and to do some research on your own, before asking. It helps you ask a better, more focused question that will is more likely to be useful to others in the future. – D.W. Mar 23 '15 at 19:50

2 Answers2

47

Yes. There are a number of ways:

  • Directly patch Task Manager's process at runtime so that its enumeration code skips over your process.
  • Run "processless", by loading a DLL into a process (e.g. via AppInit_DLLs) or injecting code into process memory and starting a thread (via VirtualAllocEx / WriteProcessMemory / CreateRemoteThread).
  • Hook the Process32First / Process32Next functions in every process (incl. task manager) to "skip" your process when the enumeration is performed.
  • Hook CreateToolhelp32Snapshot so that the mapped section's memory (see here for how snapshots work) is modified ahead of time, so that Process32First / Process32Next end up reading from fake data.
  • Hook ntdll.dll!NtQuerySystemInformation and, if SystemProcessInformation is passed, patch the results to skip over your process. This is a lower level hook than the above calls.
  • Load a kernel-mode driver which hooks the kernel-mode handler for SystemProcessInformation queries. I don't know the real name for this in Windows (it's not documented) but essentially there's a table of handlers which NtQuerySystemInformation looks through for this purpose, and you just have to hook the right one. Here's the ReactOS implementation of the actual handler. In this you'd just mess with the returned structs so that your process isn't shown.
  • Hook the SSDT to catch the transition between user-mode and kernel-mode for when various process enumeration APIs are called.
  • Use Direct Kernel Object Manipulation (DKOM) to modify the EPROCESS structures in memory so that your process is hidden from the kernel entirely. The kernel maintains a circularly linked list of structures which represent all running processes, with FLink and BLink fields as forward and backward pointers respectively. By manipulating those pointers to jump over your process, then manipulating your process' pointers to go back to themselves, the kernel will skip over your process during enumeration. This is a common rootkit technique.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 3
    Depressing how man ways there are :-( – aggsol Mar 23 '15 at 10:02
  • 17
    A popular approach is injecting a dll into a common process (e.g. explorer). No need to hide a process if you don't create one. – CodesInChaos Mar 23 '15 at 10:04
  • @CodesInChaos Injecting a DLL simply allows the hooks to be inserted within the process more easily, as the code already exists. The alternative vector is to use `VirtualAllocEx` / `WriteProcessMemory` / `VirtualProtectEx` / `CreateRemoteThread` to either inject code and a new running thread to patch the IAT, or directly patch the IAT with "remotely" allocated code caves, without creating the remote thread. – Polynomial Mar 23 '15 at 10:06
  • 1
    @Polynomial You don't need any hooks if you don't have a process to hide. – CodesInChaos Mar 23 '15 at 10:07
  • @CodesInChaos Ah, yes, I see what you're saying there. Same thing goes for `CreateRemoteThread`, though in both cases you can dump the modules list / thread list and investigate that way (all easy with Process Explorer). – Polynomial Mar 23 '15 at 10:07
  • @CodeClown Not really depressing. All of these ways are trivially detected from a forensic memory dump. There are automated tools that can detect for these anomalies. It gets even more fun when there are filter drivers in place to hide files and registry keys. – Polynomial Mar 23 '15 at 10:09
  • Unlinking yourself from the module list isn't too hard. Alternatively you can write your own dll loader that doesn't register your code in any such lists. I've seen both of these techniques employed by game hacks to hide from anti-cheat tools. – CodesInChaos Mar 23 '15 at 10:12
  • @CodesInChaos Yup, though it's is easy to detect by enumerating the thread list (`ETHREAD` structs) and intersecting the parent process ID list with those obtained from the `EPROCESS` list. If there are any orphaned threads, you know there's a hidden process. You can't (trivially) unlink threads because the thread scheduler won't give them any CPU time, making them generally useless. – Polynomial Mar 23 '15 at 10:20
  • @Polynomial I was more thinking in ways of prevention. If it is easy to detect when it's there then it's already to late. The system is compromised, isn't it? – aggsol Mar 23 '15 at 10:31
  • 2
    @CodeClown All of these hooks require the attacking process to be running as an administrator. The latter ones require driver load privileges. The solution is not to run malicious code on your system - follow safe practices, enable UAC, use a VM / sandboxing for testing untrusted stuff, run an AV (MSSE is fine), and install and configure [EMET](http://microsoft.com/emet) to get some additional protection against exploits. – Polynomial Mar 23 '15 at 10:33
  • I'm curious how many of these techniques also are able to beat tools like Process Monitor? (Thinking back to a number of blog posts by Mark Russinovich from before his company was bought by MS about how he used SysInternals tools to hunt down malware in a running OS). – Dan Is Fiddling By Firelight Mar 23 '15 at 14:09
  • 1
    @DanNeely Process Monitor, as far as I understand, doesn't bother with the toolhelp functions and goes straight to the ntdll stuff, so hooking Process32First/Next won't beat it. Hooking `NtQuerySystemInformation` should still hide it from ProcExp, as should anything lower down. You'd have to do investigation with a kernel debugger (e.g. WinDbg) to identify hooks at that level. Hidden EPROCESS entries require some more in-depth analysis. Stuff like SSDT / IDT hooks will require forensic memory dumps. – Polynomial Mar 23 '15 at 14:38
4

Certainly - there are several ways of hiding from the task manager. The simplest is to hide in plain sight with the process named something innocuous. Another option is to hide as a sub-process which then doesn't show up.

It could also install as a service, again with an innocent name. It would show in the list of services but wouldn't be shown separately in the task list. There will, I'm sure be other, more complex methods that a Google search would show up.

kalina
  • 3,354
  • 5
  • 20
  • 36
Julian Knight
  • 7,092
  • 17
  • 23