본문 바로가기

공부/컴퓨터

[Win32] 프로세스 숨기기

반응형
http://bdn.borland.com/article/0,1410,10396,00.html


Abstract: An examination of how to prevent your application from showing up in the list displayed in Windows 95/98 by hitting Ctrl+Alt+Del 











Subject:
Preventing an application from showing up in the Ctrl+Alt+Delete process list
Introduction:
Have you ever wondered how to make your application invisible to the
Ctrl+Alt+Del list of processes in Windows 95/98? Well, worry no longer.
This can be accomplished with relative ease with a function exported
from kernel32.dll called RegisterServiceProcess.


RegisterServiceProcess does pretty much what it sounds like. It registers
a process as a "service process," a process which continues to run after
the user logs off. A registered service process is exempt from automatic
shutdown at logoff time. An added benefit of being a service process is
that you are not listed in the tasklist. It is defined as:


DWORD WINAPI RegisterServiceProcess(DWORD procID, DWORD reg);


procID is the process id of the process to register (in this case, we use 0 to indicate
the current process),
reg is 1 for registering, and 0 for unregistering.


To do this trick, I made a function that loads the dll and registers or unregisters
the process as a service process. I put this in the WinMain function of our app.

Code: Project source for a project called HiddenApp


//--------------HiddenApp.cpp--------------
#include
#pragma hdrstop

USERES("HiddenApp.res");
USEFORM("Unit1.cpp",Form1);


typedef DWORD (WINAPI *TRegisterServiceProcess)(DWORD,DWORD);
bool registered=false;

//-----------------------------------------------------------------------
void __fastcall reg(bool which) //true=register, false=unregister
{
  HMODULE hmod;
  TRegisterServiceProcess pReg;
  hmod = LoadLibrary("kernel32.dll");

  if (!hmod) return;
  (FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess");
  if (!pReg) {FreeLibrary(hmod); return;}
  else
  {
    if (which)
      pReg(0,1); //unregister our process  
    else
      pReg(0,0);
  }
  registered = true;
  FreeLibrary(hmod);
}
//-----------------------------------------------------------------------
WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{  
  try
  {
    reg(true);
    Application->Initialize();
    Application->CreateForm(__classid(TForm1), &Form1);
    Application->Run();
  }
  catch (Exception &exception)
  {
    Application->ShowException(&exception);
  }

  if (registered) reg(false);
  return 0;
}
//--------------eof--------------------------------------------------------

  
        
        










http://www.groovyweb.uklinux.net/?category=windows&page_name=how%20to%20hide%20a%20process




how to hide a process

--------------------------------------------------------------------------------

How to hide processes
Processes can be hidden in both Windows (from the Ctrl+alt+delete menu) and Linux (from ps and top).

In windows:
Programs listed as services are not shown up. Prog to hide programs you have not written

Example Borland c code:

//--------------HiddenApp.cpp--------------
#include
#pragma hdrstop

USERES("HiddenApp.res");
USEFORM("Unit1.cpp",Form1);


typedef DWORD (WINAPI *TRegisterServiceProcess)(DWORD,DWORD);
bool registered=false;

//-----------------------------------------------------------------------
void __fastcall reg(bool which) //true=register, false=unregister
{
  HMODULE hmod;
  TRegisterServiceProcess pReg;
  hmod = LoadLibrary("kernel32.dll");

  if (!hmod) return;
  (FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess");
  if (!pReg) {FreeLibrary(hmod); return;}
  else
  {
    if (which)
      pReg(0,1); //unregister our process  
    else
      pReg(0,0);
  }
  registered = true;
  FreeLibrary(hmod);
}
//-----------------------------------------------------------------------
WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{  
  try
  {
    reg(true);
    Application->Initialize();
    Application->CreateForm(__classid(TForm1), &Form1);
    Application->Run();
  }
  catch (Exception &exception)
  {
    Application->ShowException(&exception);
  }

  if (registered) reg(false);
  return 0;
}
//--------------eof--------------------------------------------------------



Example delphi code:


unit Unit1;

Interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
    StdCtrls;

type
  TForm1 = class (TForm)
    Button1 : TButton;
    procedure FormDestroy (Sender: TObject);
    procedure FormCreate (Sender: TObject);
  private
    { private declarations }
  public
    { public declarations }
  end;

var
  Form1 : TForm1;

implementation

{$R *.DFM}

const
  RSPSIMPLESERVICE     = 1;
  RSPUNREGISTERSERVICE = 0;

function RegisterServiceProcess (dwProcessID, dwType: DWord) : DWord;
  stdcall; external 'KERNEL32.DLL';

procedure TForm1.FormDestroy (Sender: TObject);
begin
  RegisterServiceProcess (GetCurrentProcessID, RSPUNREGISTERSERVICE)
end;


procedure TForm1.FormCreate (Sender: TObject);
begin
  RegisterServiceProcess (GetCurrentProcessID, RSPSIMPLESERVICE)
end;


end.




Linux process hiding:
Hiding from logs (Although i see few legal situations where you would need to hide a process you ran). You can change the name of a process so it looks like another process. eg (From Phrack);

#include
#include

int main(argc, argv)
int argc;
char **argv;
{
char *p;

for (p = argv[0]; *p; p++)
*p = 0;

strcpy(argv[0], "rn");

(void) getchar (); /* to allow you to see that ps reports "rn" */
return(0);
}

"Basically, this program waits for a key-stroke and then exits. But, while it's waiting, if you were to lookup the process it would show the name as being "rn". You're just actually re-writing the argument list of the spawned process. This is a good method of hiding your process or program names. Its a good idea to use this method in any "rogue" programs you might not want to be discovered by a system administrator."
Phrack 43
반응형

'공부 > 컴퓨터' 카테고리의 다른 글

제어판 막기  (0) 2005.03.28
[영상처리] JPG, BMP를. 화면에 출력하기.. Java  (0) 2005.03.22
[레포트/고급응용] 홈 네트워크에 대한 자료 조사  (0) 2005.03.11
[알고리즘] 3n+1 문제  (0) 2005.03.07
멋진 코드~  (0) 2005.03.04