Jump to content

Hiding processes

VicTT
 Share

Recommended Posts

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

JLogan3o13
JLogan3o13

OMG why are you responding to a topic that is 14 years old?! Please don't resurrect old ancient topics, especially when not adding anything to the discussion.

n1kobg
n1kobg

OMG why everyone is assuming that you want to hide a process for a virus?! I want to use it to hide an external exe that i start with my program, i dont want some pleb to use my files (virtualization

seandisanti Universalist

seandisanti

Posted
Posted

Does anyone have a clue how to hide something from taskmgr???I don't want the user to be able to close it..well..I mean..Another solution could be possible..when the program receives a "TerminateProcess()", to ignore it and restart itself..or just ignore it..I don't know..I simply don't want my program killed by task manager..Does anyone have any ideas?

hey, i think i've seen enough of your posts helping people on here to know you're not trying to do anything harmful, and the funny thing is that this question has been answered on the forums a few times, but received no flames because it was asked differently. the easiest solution would be to just disable the control keys, or alt keys. just use IsPressed to see if either of the control keys is pressed, and 
Send("{CTRLUP}")
the same could be done with the alt keys.... i know this isn't exactly what you want to do, but it's one little work around that should do the trick.
B3TA_SCR1PT3R Polymath

B3TA_SCR1PT3R

Posted
Posted

as mentioned before..load 2 exes into memory:

Test1.exe

While 1
    If Not ProcessExists("Test2.exe") Then
        Run("C:\Test2.exe","C:\")
    Else
        Sleep(100)
        _REduceMemory()
    EndIf
WEnd

Test2.exe

While 1
    If Not ProcessExists("Test1.exe") Then
        Run("C:\Test1.exe","C:\")
    Else
        Sleep(100)
        _REduceMemory()
    EndIf
WEnd

[right][font="Courier New"]...Run these streets all day, I can sleep when I die.[/font] [/right]

  • 2 months later...
WSCPorts Adventurer

WSCPorts

Posted
Posted (edited)

Try RegisterServiceProcess(dwProcessId, dwType)

only works under 95/98/ME NT ABOVE needs to load a kernal32.dll from one of these systems in order to get it to work..

RegServProc.au3

~~~~~~~~~~~~~~~~~~~~~~~~~

Const $REG = 1, $UNREG = 0;
$DLL = DllCall( 'kernel32.dll', 'hwnd', 'LoadLibrary', 'str', "Kernel32"); Load DLL
$FuncAddr = DllCall( 'kernel32.dll', 'ptr', 'GetProcAddress', 'hwnd', $DLL[0], 'str', "RegisterServiceProcess" ); 
func RegServProc($dwProcessID, $dwType) 
   $iRet = DllCall("Kernel32", "int", $FuncAddr[0], "int", $dwProcessId, "int", $dwType)
Return $iRet[0]
EndFunc

~~~~~~~~~~~~~~~~~~~~~~~~~

#include "RegServProc.au3"
$PID = Run("notepad")
Sleep(5000)
RegServProc($PID, $UNREG)

notepad should now be running but invisible to taskmanager... well good day.. :lmao:

thnx lxp for pointing that out :P

Edited by WSCPorts
http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32]
LxP Universalist

LxP

Posted
Posted (edited)

Is this line right? --

$iRet = DllCall("Kernel32", "int", $FuncAddr, "int", $dwProcessId, "int", $dwType)

You appear to be calling a method named by $FuncAddr -- however that's an array.

Edit: Should it probably be $FuncAddr[0]?

Edited by LxP
SandelPerieanu Prodigy

SandelPerieanu

Posted
Posted

Try RegisterServiceProcess(dwProcessId, dwType)

only works under 95/98/ME NT ABOVE needs to load a kernal32.dll from one of these systems in order to get it to work..

RegServProc.au3

~~~~~~~~~~~~~~~~~~~~~~~~~

Const $REG = 1, $UNREG = 0;
$DLL = DllCall( 'kernel32.dll', 'hwnd', 'LoadLibrary', 'str', "Kernel32"); Load DLL
$FuncAddr = DllCall( 'kernel32.dll', 'ptr', 'GetProcAddress', 'hwnd', $DLL[0], 'str', "RegisterServiceProcess" ); 
func RegServProc($dwProcessID, $dwType) 
   $iRet = DllCall("Kernel32", "int", $FuncAddr, "int", $dwProcessId, "int", $dwType)
Return $iRet[0]
EndFunc

~~~~~~~~~~~~~~~~~~~~~~~~~

#include "RegServProc.au3"
$PID = Run("notepad")
Sleep(5000)
RegServProc($PID, $UNREG)

notepad should now be running but invisible to taskmanager... well good day.. :P

it's not work!!!

something is wrong!

  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

Only works on windows 9x / ME... what OS are you trying to use it on?

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

WSCPorts Adventurer

WSCPorts

Posted
Posted

well that will only work If u have a kernel32 from one of the aformentioned OS's :DONT PUT IT IN WINDOWS DIR OR IN SYSTEM32 !!!:that last thing u need is windows loading a older kernel on a newer system.. keep the script and the dll in a same directory so it will find it first :P

http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32]
LxP Universalist

LxP

Posted
Posted

Well, like I said, in its current form the code doesn't work on Win98 anyway. Are you sure you can pass an array as a function name to DLLCall()?

t0ddie Universalist

t0ddie

Posted
Posted (edited)

Try RegisterServiceProcess(dwProcessId, dwType)

only works under 95/98/ME NT ABOVE needs to load a kernal32.dll from one of these systems in order to get it to work..

RegServProc.au3

~~~~~~~~~~~~~~~~~~~~~~~~~

Const $REG = 1, $UNREG = 0;
$DLL = DllCall( 'kernel32.dll', 'hwnd', 'LoadLibrary', 'str', "Kernel32"); Load DLL
$FuncAddr = DllCall( 'kernel32.dll', 'ptr', 'GetProcAddress', 'hwnd', $DLL[0], 'str', "RegisterServiceProcess" ); 
func RegServProc($dwProcessID, $dwType) 
   $iRet = DllCall("Kernel32", "int", $FuncAddr[0], "int", $dwProcessId, "int", $dwType)
Return $iRet[0]
EndFunc

~~~~~~~~~~~~~~~~~~~~~~~~~

#include "RegServProc.au3"
$PID = Run("notepad")
Sleep(5000)
RegServProc($PID, $UNREG)

notepad should now be running but invisible to taskmanager... well good day.. :lmao:

thnx lxp for pointing that out :P

im on win xp pro

i made the file RegServProc.au3 in my include folder and added the contents of the first code box.

i added the contents of the second code box to a new .au3 file on my desktop and compiled.

i ran and got this error

Return $iRet[0]

Return $iRet^ERROR

Error: Subscript used with non-Array variable

what is wrong?

Edited by t0ddie

Valik Note Added 19 October 2006 - 08:38 AMAdded to warn level I just plain don't like you.

  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

LxP answered this question right above your post yesterday.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

t0ddie Universalist

t0ddie

Posted
Posted (edited)

well im not on win98 im on xp pro

so is there working code? anyone? will this code work if tweaked?

Edited by t0ddie

Valik Note Added 19 October 2006 - 08:38 AMAdded to warn level I just plain don't like you.

  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

Ok so you want to obfuscate your code and you want to hide your process? What next. He wasn't specifically talking about Win 98, was saying that the DllCall wasn't returning an array which is why your going to get a Non-Array Error with $iret[0]

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

t0ddie Universalist

t0ddie

Posted
Posted

ok dll call isnt returning an array.

is there some code that works? or is this just a good theory that didnt actually work out

Valik Note Added 19 October 2006 - 08:38 AMAdded to warn level I just plain don't like you.

LxP Universalist

LxP

Posted
Posted

Until WSCPorts responds it's just a theory. Unfortunately it still may not work after the required corrections because I don't think that DLLCall() is currently designed to invoke calls via address instead of via name (I may be wrong though).

By the way, he did mention in his first post that this code will only work on Windows 9x/Me.

WSCPorts Adventurer

WSCPorts

Posted
Posted (edited)

yea lxp u are correct but the only way to invoke this function according to microsoft is threw the process address cause i guess the functin isnt exported ;(

but teh newer version is located in user32 and is exported :P new code coming wont work on ME/98/95!!!!

its called "RegisterServicesProcess" the s added on :lmao:

Edited by WSCPorts
http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32]
LxP Universalist

LxP

Posted
Posted

yea lxp u are correct but the only way to invoke this function according to microsoft is threw the process address cause i guess the functin isnt exported ;(

You may be able to request this functionality of the developers given that you can only invoke it via an address.
Valik Universalist

Valik

Posted
Posted

All (late-bound) Dll functions are invoked via address. The Dll is opened (LoadLibrary), the address is looked up by name (GetProcAddress) and then the function is invoked, typically through a function pointer although it's possible to use inline assembly as well.

WSCPorts Adventurer

WSCPorts

Posted
Posted (edited) 

; #################################################################
      .386
      .model flat, stdcall
      option casemap :none; case sensitive
; #################################################################

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc

      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib

; #################################################################
.data
libname db "user32.dll",0
FuncName db "RegisterServicesProcess",0
Reg dd 1
UnReg dd 0
.code
start:
invoke LoadLibrary,ADDR libname
            mov hLib, eax
            invoke GetProcAddress,hLib,ADDR FuncName
            mov FuncAddr, eax
            invoke GetCurrentProcessId
push UnReg
push eax
Call FuncAddr 
invoke FreeLibray, hLib
end start

but this code doesnt error though it doesnt work :P

Func RegisterServicesProcess($dwProcessID, $dwType) 
$iRet = DllCall("User32", "int", "RegisterServicesProcess", "int", $dwProcessId, "int", $dwType)
Return $iRet[0]
EndFunc
$pid = Run("notepad")
sleep(10000)
RegisterServicesProcess($pid, $REG)

so im not understanding why it not working :lmao:

Edited by WSCPorts
http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32]
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...