[Win32] 프로세스 숨기기

http://bdn.borland.com/article/0,1410,10396,00.html

Abstract: An examination of how to prevent your application from showing up in the list displayed in Windows 95/98 by hitting Ctrl+Alt+Del 

Subject: Preventing an application from showing up in the Ctrl+Alt+Delete process list Introduction: Have you ever wondered how to make your application invisible to the Ctrl+Alt+Del list of processes in Windows 95/98? Well, worry no longer. This can be accomplished with relative ease with a function exported from kernel32.dll called RegisterServiceProcess. RegisterServiceProcess does pretty much what it sounds like. It registers a process as a "service process," a process which continues to run after the user logs off. A registered service process is exempt from automatic shutdown at logoff time. An added benefit of being a service process is that you are not listed in the tasklist. It is defined as: DWORD WINAPI RegisterServiceProcess(DWORD procID, DWORD reg); procID is the process id of the process to register (in this case, we use 0 to indicate the current process), reg is 1 for registering, and 0 for unregistering. To do this trick, I made a function that loads the dll and registers or unregisters the process as a service process. I put this in the WinMain function of our app. Code: Project source for a project called HiddenApp //--------------HiddenApp.cpp-------------- #include #pragma hdrstop USERES("HiddenApp.res"); USEFORM("Unit1.cpp",Form1); typedef DWORD (WINAPI *TRegisterServiceProcess)(DWORD,DWORD); bool registered=false; //----------------------------------------------------------------------- void __fastcall reg(bool which) //true=register, false=unregister {   HMODULE hmod;   TRegisterServiceProcess pReg;   hmod = LoadLibrary("kernel32.dll");   if (!hmod) return;   (FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess");   if (!pReg) {FreeLibrary(hmod); return;}   else   {     if (which)       pReg(0,1); //unregister our process       else       pReg(0,0);   }   registered = true;   FreeLibrary(hmod); } //----------------------------------------------------------------------- WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int) {     try   {     reg(true);     Application->Initialize();     Application->CreateForm(__classid(TForm1), &Form1);     Application->Run();   }   catch (Exception &exception)   {     Application->ShowException(&exception);   }   if (registered) reg(false);   return 0; } //--------------eof--------------------------------------------------------

        
        










http://www.groovyweb.uklinux.net/?category=windows&page_name=how%20to%20hide%20a%20process




how to hide a process

--------------------------------------------------------------------------------

How to hide processes
Processes can be hidden in both Windows (from the Ctrl+alt+delete menu) and Linux (from ps and top).

In windows:
Programs listed as services are not shown up. Prog to hide programs you have not written

Example Borland c code:

//--------------HiddenApp.cpp--------------
#include
#pragma hdrstop

USERES("HiddenApp.res");
USEFORM("Unit1.cpp",Form1);


typedef DWORD (WINAPI *TRegisterServiceProcess)(DWORD,DWORD);
bool registered=false;

//-----------------------------------------------------------------------
void __fastcall reg(bool which) //true=register, false=unregister
{
  HMODULE hmod;
  TRegisterServiceProcess pReg;
  hmod = LoadLibrary("kernel32.dll");

  if (!hmod) return;
  (FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess");
  if (!pReg) {FreeLibrary(hmod); return;}
  else
  {
    if (which)
      pReg(0,1); //unregister our process  
    else
      pReg(0,0);
  }
  registered = true;
  FreeLibrary(hmod);
}
//-----------------------------------------------------------------------
WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{  
  try
  {
    reg(true);
    Application->Initialize();
    Application->CreateForm(__classid(TForm1), &Form1);
    Application->Run();
  }
  catch (Exception &exception)
  {
    Application->ShowException(&exception);
  }

  if (registered) reg(false);
  return 0;
}
//--------------eof--------------------------------------------------------



Example delphi code:


unit Unit1;

Interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
    StdCtrls;

type
  TForm1 = class (TForm)
    Button1 : TButton;
    procedure FormDestroy (Sender: TObject);
    procedure FormCreate (Sender: TObject);
  private
    { private declarations }
  public
    { public declarations }
  end;

var
  Form1 : TForm1;

implementation

{$R *.DFM}

const
  RSPSIMPLESERVICE     = 1;
  RSPUNREGISTERSERVICE = 0;

function RegisterServiceProcess (dwProcessID, dwType: DWord) : DWord;
  stdcall; external 'KERNEL32.DLL';

procedure TForm1.FormDestroy (Sender: TObject);
begin
  RegisterServiceProcess (GetCurrentProcessID, RSPUNREGISTERSERVICE)
end;


procedure TForm1.FormCreate (Sender: TObject);
begin
  RegisterServiceProcess (GetCurrentProcessID, RSPSIMPLESERVICE)
end;


end.




Linux process hiding:
Hiding from logs (Although i see few legal situations where you would need to hide a process you ran). You can change the name of a process so it looks like another process. eg (From Phrack);

#include
#include

int main(argc, argv)
int argc;
char **argv;
{
char *p;

for (p = argv[0]; *p; p++)
*p = 0;

strcpy(argv[0], "rn");

(void) getchar (); /* to allow you to see that ps reports "rn" */
return(0);
}

"Basically, this program waits for a key-stroke and then exits. But, while it's waiting, if you were to lookup the process it would show the name as being "rn". You're just actually re-writing the argument list of the spawned process. This is a good method of hiding your process or program names. Its a good idea to use this method in any "rogue" programs you might not want to be discovered by a system administrator."
Phrack 43