Hidden Process

[Guest]

Hi,

Can i write a vb program to list the hidden process and kill it ?

Thanks

 

[Walter Wang [MSFT]]

Hi Pony,

I'm not sure how do you define a process is "hidden". Anyway, following
information might be helpful for your reference:

1) Use Process.GetProcess() to get all running processes on current system.

2) You can iterate in the process list to find your target process (which
you want to kill)

3) A Process have a method named "Kill()" which can be used to kill it
immediately.

Let me know if you need further information.


Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Hi Pony,

For such hidden process created by a rootkit
(http://en.wikipedia.org/wiki/Rootkit, http://www.rootkit.com), it will not
be listed by normal process api such as .NET Process class. To understand
why it's not listed, you need to first understand some information how a
process can be hidden from normal tool/API such as task manager.

Win32 Kernel Rootkits can hide running processes from users using
techniques like Kernel Native API Hooking, or by directly unlinking the
process's EPROCESS entry from ActiveProcessLinks. Such techniques are very
effective in hiding processes, and are very difficult to detect with
user-mode tools.

To detect such hidden process, you will also need some kernel-mode driver
or api to do that, such as code from
http://www.security.org.sg/code/kproccheck.html; http://www.rootkit.com is
a good resource on RootKit and various tools to detect rootkit.

Hope this helps.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.