How to Hide a Process
Processes can be hidden in both Windows (from the Ctrl+alt+delete menu) and Linux (from ps and top).
In windows:
Programs listed as services are not shown up.
Example Borland c code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | //--------------HiddenApp.cpp-------------- #include #pragma hdrstop USERES("HiddenApp.res"); USEFORM("Unit1.cpp",Form1); typedef DWORD (WINAPI *TRegisterServiceProcess)(DWORD,DWORD); bool registered=false; //----------------------------------------------------------------------- void __fastcall reg(bool which) //true=register, false=unregister { HMODULE hmod; TRegisterServiceProcess pReg; hmod = LoadLibrary("kernel32.dll"); if (!hmod) return; (FARPROC)pReg = (FARPROC)::GetProcAddress(hmod,"RegisterServiceProcess"); if (!pReg) {FreeLibrary(hmod); return;} else { if (which) pReg(0,1); //unregister our process else pReg(0,0); } registered = true; FreeLibrary(hmod); } //----------------------------------------------------------------------- WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int) { try { reg(true); Application->Initialize(); Application->CreateForm(__classid(TForm1), &Form1;); Application->Run(); } catch (Exception &exception;) { Application->ShowException(&exception;); } if (registered) reg(false); return 0; } //--------------eof-------------------------------------------------------- |
Example delphi code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | <b>unit</b> Unit1; Interface <b>uses</b> Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; <b>type</b> TForm1 = <b>class</b> (TForm) Button1 : TButton; <b>procedure</b> FormDestroy (Sender: TObject); <b>procedure</b> FormCreate (Sender: TObject); <b>private</b> <i><span style="color: navy;">{ private declarations }</span></i> <b>public</b> <i><span style="color: navy;">{ public declarations }</span></i> <b>end</b>; <b>var</b> Form1 : TForm1; <b>implementation</b> <i><span style="color: navy;">{$R *.DFM}</span></i> <b>const</b> <b>RSPSIMPLESERVICE</b> = 1; <b>RSPUNREGISTERSERVICE</b> = 0; <b>function</b> RegisterServiceProcess (dwProcessID, dwType: DWord) : DWord; <b>stdcall</b>; <b>external</b> <span style="color: blue;">'KERNEL32.DLL'</span>; <b>procedure</b> TForm1.FormDestroy (Sender: TObject); <b>begin</b> RegisterServiceProcess (GetCurrentProcessID, <b>RSPUNREGISTERSERVICE</b>) <b>end</b>; <b>procedure</b> TForm1.FormCreate (Sender: TObject); <b>begin</b> RegisterServiceProcess (GetCurrentProcessID, <b>RSPSIMPLESERVICE</b>) <b>end</b>; <b>end</b>. |
Linux process hiding:
Hiding from logs (Although i see few legal situations where you would need to hide a process you ran). You can change the name of a process so it looks like another process. eg (From Phrack);
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | #include #include int main(argc, argv) int argc; char **argv; { char *p; for (p = argv[0]; *p; p++) *p = 0; strcpy(argv[0], "rn"); (void) getchar (); /* to allow you to see that ps reports "rn" */ return(0); } |
“Basically, this program waits for a key-stroke and then exits. But, while it’s waiting, if you were to lookup the process it would show the name as being “rn”. You’re just actually re-writing the argument list of the spawned process. This is a good method of hiding your process or program names. Its a good idea to use this method in any “rogue” programs you might not want to be discovered by a system administrator.”