Hiding a window

[nitro322]

I've written a program that uses other utilities to scan a system and log the output. This detects running processes, open ports, installed/missing patches, etc. I'm currently adding RootkitRevealer.exe to the mix so I can scan for rootkit activity, but I'm have trouble hiding the RootkitRevealer window while running (for various reasons, I don't want anything displayed on the sceen while the scan is running).

For some reason, running the program with @SW_HIDE simply doesn't work, though I don't know why. I've been able to fix it when scanning a local system with this:

$pid = run($sysdrive & 'RootkitRevealer.exe -a -c -m ' & $sysdrive & 'rootkit.txt', $sysdrive, @SW_HIDE)
while processexists($pid)
    if winexists("RootkitRevealer") then winsetstate("RootkitRevealer", "", @SW_HIDE)
wend
processwaitclose($pid)

If I launch a scan by simply double-clicking on the compiled .exe, that works fine. However, I also need the ability to scan remote systems. I'm using psexec.exe from SysInternals to do this, and the scan itself runs fine. The problem, though, is that when I enable the new rootkit option, the RootkitRevealer window always appears on the remote system. This even occurs if I use psexec to run the program on my own system. I simply cannot figure out how to hide it.

Does anyone have any ideas for this? Here are the psexec options I'm using, for those that may already have some experience with it:

psexec.exe \\hostname -u username -c -f sysinfo.exe /silent

sysinfo.exe is the name of my program, and I'm passing the /silent switch to it to instruct it not to display any progress information.

I'd really appreciate any ideas here. I've been hacking around with this for a couple days now, and am completely out of ideas at this point.

Thanks.

Edit: After re-reading my post, I realized that the way I described the issue above could be interpreted as malicious intent (pulling back a list of running processes, open ports, missing patches, etc. on remote systems). Let me clarify just a bit: this is for use solely within my company, and does indeed fall within my area of responsibility. I don't really have any way to prove it, of course, but I hope I've been around long enough at this point that I can be given the benefit of the doubt here.

Edited September 20, 2006 by nitro322

[blademonkey]

I've written a program that uses other utilities to scan a system and log the output. This detects running processes, open ports, installed/missing patches, etc. I'm currently adding RootkitRevealer.exe to the mix so I can scan for rootkit activity, but I'm have trouble hiding the RootkitRevealer window while running (for various reasons, I don't want anything displayed on the sceen while the scan is running).

For some reason, running the program with @SW_HIDE simply doesn't work, though I don't know why. I've been able to fix it when scanning a local system with this:

$pid = run($sysdrive & 'RootkitRevealer.exe -a -c -m ' & $sysdrive & 'rootkit.txt', $sysdrive, @SW_HIDE)
while processexists($pid)
    if winexists("RootkitRevealer") then winsetstate("RootkitRevealer", "", @SW_HIDE)
wend
processwaitclose($pid)

If I launch a scan by simply double-clicking on the compiled .exe, that works fine. However, I also need the ability to scan remote systems. I'm using psexec.exe from SysInternals to do this, and the scan itself runs fine. The problem, though, is that when I enable the new rootkit option, the RootkitRevealer window always appears on the remote system. This even occurs if I use psexec to run the program on my own system. I simply cannot figure out how to hide it.

Does anyone have any ideas for this? Here are the psexec options I'm using, for those that may already have some experience with it:

psexec.exe \\hostname -u username -c -f sysinfo.exe /silent

sysinfo.exe is the name of my program, and I'm passing the /silent switch to it to instruct it not to display any progress information.

I'd really appreciate any ideas here. I've been hacking around with this for a couple days now, and am completely out of ideas at this point.

Thanks.

Edit: After re-reading my post, I realized that the way I described the issue above could be interpreted as malicious intent (pulling back a list of running processes, open ports, missing patches, etc. on remote systems). Let me clarify just a bit: this is for use solely within my company, and does indeed fall within my area of responsibility. I don't really have any way to prove it, of course, but I hope I've been around long enough at this point that I can be given the benefit of the doubt here.

Make it hide the window regardless of switch. since you're running it remotely you probably dont need it.

I think it's bombing because it's copying the sysinfo file and running it and not added the /silent switch.

[nitro322]

Make it hide the window regardless of switch. since you're running it remotely you probably dont need it.

I think it's bombing because it's copying the sysinfo file and running it and not added the /silent switch.

Actually, it is setup that way. The /silent switch simply tells the program not to display an AutoIt progress window; all application windows are hidden regardless. Even if the person runs it locally with no /silent switch, all he will see is the AutoIt progress window.

I did figure out how to make this work, though it's more of a workaround than a proper solution. I modified my psexec.exe call to include the -i option, which instructs the program to "interact with the desktop on the remote desktop." I don't know why this makes it work, but it does.

If anyone has a better explanation or solution, though, I'd still like to here it. I'd like to understand why exactly this is happening, so I can better deal with it in the future.

Thanks.