All modern multitasking operating systems, including Linux, launch several processes to complete each task. Using notepad, a terminal window, an SSH server, an SSH connection, etc. are all separate processes. The operating system, in our case Linux, distributes system resources (CPU time, memory, I/O) between processes so that each process can run.
To see the list of running this moment processes use the ps utility:
The aux parameters tell the utility to display all system processes with information about the user from which they were launched and the call command.
As you can see, the list contains processes belonging to various users, including pi, the default user on the Raspberry Pi, root, and www-data. Here is another screenshot that shows processes and information about their launch command and parameters:
If you look at the bottom of the list you will see the nano MYBANKACCOUNTNUMBER.TXT command executed by the user john. This data is provided to all users of the system and can be used for malicious purposes.
In the kernel version 3.2 and higher, a function is implemented to prohibit the user from viewing information about processes that do not belong to him. The ps command retrieves information about processes from the /proc file system. A new hidepid parameter has been added which is used when mounting the file system. It allows you to hide information about processes from users who do not have access to them.
- hidepid = 0 - default value, all users can read /proc/pid files
- hidepid = 1 - users can only access their own /proc/pid subdirectory, but cmdline, io, sched*, status files are available to everyone
- hidepid = 2 - all /proc/pid subdirectories are hidden from users
The /proc filesystem can be remounted on the fly using the remount option of the mount utility. To check if hidepid is working, you can use the following command:
sudo mount -o remount,rw,hidepid=2 /proc
Then we try to run ps again:
Now we will see only processes launched from the user pi.
To make these changes permanent you need to edit the /etc/fstab. This file controls the mount file systems at start.
sudo nano /etc/fstab
Find this line:
proc /proc proc defaults 0 0
And replace it with:
proc /proc proc defaults,hidepid=2 0 0
Close the editor using the Ctrl+C keyboard shortcut and restart your computer. After reboot /proc will be mounted with the correct options. To check the mount options, use the mount command and grep.
mount | grep hidepid
Now let's try to run ps:
As you can see, only processes belonging to the current user are visible. But there is one note. The superuser can still see all processes and call parameters.
By opening Task Manager, Windows user can see leaks in the system processes and close those that seem suspicious to him. To protect their programs from detection, the authors of Trojan programs and ad-aware try their best to possible ways hide them processes.
Instructions
To get the most out of Task Manager, you need to configure it correctly. Open the utility (Ctrl + Alt + Del), select “View” - “Select Columns”. Check the boxes: “Process ID”, “CPU Load”, “Memory - Usage”, “USER Objects”, “User Name”. You won't be able to see the hidden ones processes, but more detailed information about visible ones can also be very useful. For example, many simple Trojans masquerade as the svchost.exe process. The original process in the Username column is marked as SYSTEM. The Trojan process will have Admin status, that is, it is launched as an administrator.
Almost any well-written Trojan program is now capable of hiding its presence from the Task Manager. Is it possible to detect it in this case? This is where they come to the rescue special utilities, allowing to reveal hidden processes. The AnVir Task Manager program is very convenient, allowing you to identify many dangerous programs. The program has a Russian interface and can be downloaded for free on the Internet.
The simple and easy-to-use Process Hacker program has very good capabilities for finding hidden processes. Using this utility you can see running processes, services and current network connections.
One of best programs to search for hidden processes is Spyware Process Detector, its 14-day trial version can be downloaded from the link at the end of the article. The program has a wide range of mechanisms for searching for hidden processes, which distinguishes it from many other similar utilities.
A small utility called HijackThis can be a useful tool in the fight against Trojans. The utility is designed for fairly experienced users. You can see instructions for its use below in the list of sources.
Often anonymity and secrecy play a key role in the successful performance of any actions both in reality and in virtuality, in particular in operating systems. This article will talk about how to become anonymous in OS Windows. All information is provided for informational purposes only.So, we will try to hide from the user's eyes in the manager Windows tasks. The way we will achieve this is extremely simple compared to those that are based on intercepting kernel (often undocumented) functions and creating our own drivers.
The essence of the method: search for the Task Manager window -> search in it for a child window (list) containing the names of all processes -> remove our process from the list.
As you can see, there will be no manipulations with our process: it has worked and will continue to work. Since the standard ordinary Windows user, as a rule, does not use any other tools to view running processes on his computer, then this will only play into our hands. In most cases the process will not be detected.
What was used for the study:
1) Spy++ from Microsoft (to study the hierarchy of Task Manager child windows)
2) OllyDBG to view the functions used by the dispatcher to obtain a snapshot of processes.
3) Actually, myself taskmng.exe(Task Manager)
We will use the Delphi environment to write code. Rather, Delphi will be more convenient in our case than C++. But this is just my humble opinion.
Well, first of all, let's try to figure out what a process list is and how it works. At a glance, it is clear that this is a regular window of the “SysListView32” (list) class, which is updated at a frequency of 2 frames per second (every 0.5 seconds). Let's look at the window hierarchy:
As you can see, the list of processes is, in fact, a regular window of the “SysListView32” class, which is a child of the “Processes” window (tab), which is also a child of the main window of the Task Manager. We only have a double level of nesting. In addition, the list has one child window of the “SysHeader32” class, which, as you might guess, is a header (field marker) for the list of processes.
Since this is a regular list, we have a whole set of macro commands at our disposal to manage its contents. Their diversity, at first glance, is amazing. But many of them only work from the parent process, that is, in order to use them, we will need to pretend that they are running in the parent process. But not all have this property, in particular, the ListView_DeleteItem macro command, which deletes an element from a list window (class “SysListView32”).
This is what we will use in the process. our applications. This function the second parameter is the index of the element to be deleted.
Now we need to somehow find out what index the element with the hidden process label has in the task manager. To do this, we need to somehow pull out all the elements (labels with process names) from the list of processes in the task manager and sequentially compare them with the name of the process that we want to hide.
Using macros like ListView_GetItemText our actions would be something like this:
1) Allocation of memory in the task manager process (VirtualAllocEx)
2) Sending the message LVM_GETITEMTEXT (SendMessage) to the child list window of the Task Manager
3) Write information about a list item to the allocated memory area of the Task Manager (WriteProcessMemory)
4) Reading from the dispatcher’s memory the information that interests us about the process (ReadProcessMemory)
Using this method, you can easily “shoot yourself in the foot” by counting offset bytes from the beginning of various structures used in the code. Also, this method will be quite difficult for those who are not particularly deep in WinAPI, so we will immediately put it aside. Otherwise, find an implementation this method on the Internet it won’t be difficult. Instead, I will suggest that you create your own list of processes, and, already focusing on it, look for the treasured process index in the list of processes in the Task Manager.
Microsoft decided not to worry too much about a tool called “Task Manager”, and used the usual WinAPI functions to get all the processes in the system. We look superficially taskmng.exe under the debugger:
We see the use of the WinAPI function CreateToolHelp32SnapShot.
Everyone knows that “this function can be used not only to obtain a snapshot of processes, but also process threads or modules, for example. But in this case this is unlikely. It is unlikely that they will use something like a process enumerator (EnumProcesses).
We settled on the fact that we want to create our own list of processes and look for our process in it. To do this, we will use the function that we found in the debugger. If we open the task manager on the “Processes” tab, we will notice that all processes are sorted alphabetically for ease of search. Therefore, we need to get a list of the names of all processes on the system and sort them in ascending alphabetical order. Let's start writing code in Delphi.
First, let's create a demo window application with two timers: the first one will reorganize the list with processes at the same frequency with which Windows Task Manager does it (once every two seconds); the second will fire 1000 times per second and will serve to monitor the update of the list of processes in the manager and, therefore, the appearance of our hidden process. We will also add a button to the form.
Code:
var ind:integer; h:handle; last_c:integer; procedure UpdateList(); var th:THandle; entry:PROCESSENTRY32; b:boolean; i,new_ind:integer; plist:TStringList; begin // List of processes plist:=TStringList.Create; // Form a list of processes th:= CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS,0); entry.dwSize:=sizeof(PROCESSENTRY32); b:=Process32First(th,entry); while(b) do begin plist.Add(entry.szExeFile); b:=Process32Next(th,entry); end; // Sort it so that the indexes of the elements // match those in the task manager plist.Sort; last_c:=plist.Count; // Finding the index of our process "explorer.exe" for i:=1 to plist.Count-1 do if(LowerCase(plist[i])="explorer.exe") then new_ind:=i-1; // Removing an object from the list if(new_ind<>ind) then ListView_DeleteItem(h,ind); ind:=new_ind; plist.Free; // Start the update tracking timer in the list of processes if(Form1.Timer2.Enabled=false) then Form1.Timer2.Enabled:=true; end; procedure TForm1.HideProcessButton(Sender: TObject); begin // Looking for a child window of the "SysListView32" class h:=FindWindow(nil,"Windows Task Manager"); h:=FindWindowEx(h,0,nil,"Processes"); h:=FindWindowEx(h,0,"SysListView32",nil); // Start the timer for reforming the list of processes Timer1.Enabled:=true; end; procedure TForm1.Timer1Timer(Sender: TObject); beginUpdateList(); end; procedure TForm1.Timer2Timer(Sender: TObject); begin // Search for changes in the list if(ListView_GetItemCount(h)>last_c) then ListView_DeleteItem(h,ind); last_c:=ListView_GetItemCount(h); end;Here, in fact, is all the code.
Let's hide, for example, in the Task Manager the process of the Task Manager itself:
Here it is:
And when you click on the “Hide Process” button, the process disappears from the list:
All traces of its presence in the system are erased, and it itself quietly runs in normal mode somewhere in the depths of the processor :)
Outro
Well, I think this method deserves to exist, although it requires some minor improvements. Yes, of course, it cannot be used to hide the process from the system itself, but hiding it in the standard Windows tool, which is used by the lion's share of all users, is also not bad.I hope I managed to interest you at least a little in this topic.
See you later! And may the power of anonymity be with you...
Tags:
