c++ - How to Detect Hidden Processes -

-


c++ - How to Detect Hidden Processes -

wondering how application "process explorer" or "combo fix" observe hidden process ??? i'm assuming must done in c or c++. easy plenty access process list in .net not accurate, know root kits can mask task manager. through memory access , io ? curious if knows how accomplished.

this question can't answered. depends how process has been hidden in first place. example, can hide process injecting usermode dll processes hooks enumprocesses, process32next, etc. , other apis related process enumeration. bypassed trampoline skips hook.

however, if process hidden through modifying kernel eprocess linked list holds list of processes, method needed subvert code performed hiding. if define how think process beingness 'hidden', maybe can suggest how observe it. processes think beingness hidden still beingness discovered process explorer?

also taking consideration there multiple ways hide process. of mutual ways observe ?

the problem if have no thought looking for, it's impossible find it. suppose process has made hidden task manager hooking enumprocesses. might think easy case detect. however, process hooking enumprocesses through variety of different ways. example, unconditional hook @ start of function, iat hook, causing access violation occur @ enumprocessesand catching veh , modifying eip/rip, etc. etc. in simple case, not possible guarantee detection of hook. assuming hook has been performed @ usermode on specific api , code makes no effort hide detection.

if looking general guidelines, best method @ mutual detouring techniques. 1 time know how method works, trivial write code observe manipulation.

perhaps if gave motivation write sort of code or purpose serve, able help better.

if looking ways programs detour execution of other processes, through 1 of 2 means:

dynamic (runtime) detouring - more mutual method , used libraries such microsoft detours. here relevant paper first few bytes of function overwritten unconditionally branch instrumentation. (static) binary rewriting - much less mutual method rootkits, used research projects. allows detouring performed statically analysing , overwriting binary. old (not publicly available) bundle windows performs etch. this paper gives high-level view of how works conceptually.

although detours demonstrates 1 method of dynamic detouring, there countless methods used in industry, in reverse engineering science , hacking arenas. these include iat , breakpoint methods mentioned above. 'point in right direction' these, should @ 'research' performed in fields of research projects , reverse engineering.

c++ c windows

Comments

Post a Comment

Popular posts from this blog

How do I check if an insert was successful with MySQLdb in Python? -

-
How do I check if an insert was successful with MySQLdb in Python? - i have code: cursor = conn.cursor() cursor.execute(("insert new_files (videos_id, filename, " "is_processing) values (%s,%s,1)"), (id, filename)) logging.warn("%d", cursor.rowcount) if (cursor.rowcount == 1): logging.info("inserted values %d, %s", id, filename) else: logging.warn("failed insert values %d, %s", id, filename) cursor.close() fun is, cursor.rowcount always one, though updated database create videos_id unique key. is, insert fails because in tests same videos_id going appear (and when check database, nil inserted). whatever reason, rowcount 1 - logging.warn have spits out rowcount of 1. so, question: can utilize rowcount work out if insert went fine? if so, (presumably) doing wrong? otherwise, how check if insert went fine? your code not commit after modifications (your modifications rolled back). should...
Read more

delphi - blogger via idHTTP : error 400 bad request -

-
delphi - blogger via idHTTP : error 400 bad request - i'm trying post blogger using idhttp component, however, i'm getting "http/1.0 400 bad request" error. procedure tform1.button1click(sender: tobject); var request,response,req : tstringlist; auth,blogid : string; begin blogid := '00000000000000000000000'; request := tstringlist.create; response := tstringlist.create; req := tstringlist.create; idhttp1.request.connection := 'keep-alive'; idhttp1.request.contenttype := 'application/x-www-form-urlencoded'; idssliohandlersocket1.ssloptions.method := sslvsslv23; request.clear(); request.values['accounttype'] := 'google'; request.values['email'] := 'xxx@gmail.com'; request.values['passwd'] := 'yyy'; request.values['service'] := 'blogger'; response.text :=idhttp1.post('https://www.google.com/accounts/clientlogin',request); auth := resp...
Read more

postgresql - ERROR: operator is not unique: unknown + unknown -

-
postgresql - ERROR: operator is not unique: unknown + unknown - i have postgis database , have compute new values rows in new column. these values should average of values of several columns. query: insert bdps (da_m) values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7')); in query bdps database, da_m new column , da_1 da_7 existing columns have double precision type. da_m created using alter table bdps add together column da_m double precision; i next error: error: operator not unique: unknown + unknown line 2: values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7... ^ hint: not take best candidate operator. might need add together explicit type casts. ********** error ********** error: operator not unique: unknown + unknown sql state: 42725 hint: not take best candidate operator. might need add togethe...
Read more