Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Procedure doesn’t show (and rela ted).

0 views
Skip to first unread message

L. Spiro

unread,
Feb 27, 2005, 11:13:02 AM2/27/05
to
In a discussion I saw online, someone was having problems finding a process
on the process list, not only in the Task Manager but in other programs and
debuggers as well.
He said in Task Manager, the application is listed but the process is not.

Another person told him that if he used a program that gives itself DEBUG
level, then that program would be able to see all processes.

Then the question was raised as to what would happen if the process hiding
itself was hooking the API to hide itself.

This leaves me with a few questions.
Is it true that DEBUG privilage would allow a process to see all other
processes?
How does a process give itself DEBUG privilage?

What if the process hiding itself is hooking the API to hide?
Which API would it be hooking (rather, how could I hide my process via API
hooks)?

As for hooking, I have a few general questions that I have been wondering
for a while.
Can you remove a hook placed by another procedure (or would it require
actually rewriting the assembly code in the RAM space of the other process)?
Can you override a hook placed by another procedure (could it override mine)?
Can you determine if another procedure has placed a hook and what kind?


L. Spiro

Gary Chanson

unread,
Feb 27, 2005, 2:46:20 PM2/27/05
to

"L. Spiro" <LSp...@discussions.microsoft.com> wrote in message
news:4AB89B10-86F7-4DAF...@microsoft.com...

> In a discussion I saw online, someone was having problems finding a process
> on the process list, not only in the Task Manager but in other programs and
> debuggers as well.
> He said in Task Manager, the application is listed but the process is not.
>
> Another person told him that if he used a program that gives itself DEBUG
> level, then that program would be able to see all processes.
>
> Then the question was raised as to what would happen if the process hiding
> itself was hooking the API to hide itself.
>
>
>
> This leaves me with a few questions.
> Is it true that DEBUG privilage would allow a process to see all other
> processes?
> How does a process give itself DEBUG privilage?

By calling AdjustTokenPrivileges (also take a look at
LookupPrivilegeValue).

> What if the process hiding itself is hooking the API to hide?

I think if the process does a thorough job of hooking APIs that even a
debugger would not see it.

> Which API would it be hooking (rather, how could I hide my process via API
> hooks)?


There are several which it might have to hook, in the ToolHelp and PDH
libraries.

> As for hooking, I have a few general questions that I have been wondering
> for a while.
> Can you remove a hook placed by another procedure (or would it require
> actually rewriting the assembly code in the RAM space of the other process)?

That's a tough one. I think it would have to invade the process which set
the hook, find the hook handle, and call UnhookWindowsHookEx and this is
likely to crash that process. It can't just invade the hooked process and
unload the DLL because that would surely crash that process.

> Can you override a hook placed by another procedure (could it override
mine)?

Yes, by setting your own hook after the other hook has been set and
refusing to pass events to it, but this would also prevent any other hooks
from receiving those events. This only works in one direction.

> Can you determine if another procedure has placed a hook and what kind?

I don't think there's any easy way of doing that after the hook has been
set. Before it is set you could set a debug hook.

--
-GJC [MS Windows SDK MVP]
-Software Consultant (Embedded systems and Real Time Controls)
- http://www.mvps.org/ArcaneIncantations/consulting.htm
-gcha...@mvps.org

Gary Chanson

unread,
Feb 27, 2005, 2:54:33 PM2/27/05
to

"L. Spiro" <LSp...@discussions.microsoft.com> wrote in message
news:4AB89B10-86F7-4DAF...@microsoft.com...
> In a discussion I saw online, someone was having problems finding a process
> on the process list, not only in the Task Manager but in other programs and
> debuggers as well.
> He said in Task Manager, the application is listed but the process is not.
>
> Another person told him that if he used a program that gives itself DEBUG
> level, then that program would be able to see all processes.
>
> Then the question was raised as to what would happen if the process hiding
> itself was hooking the API to hide itself.
>
>
>
> This leaves me with a few questions.
> Is it true that DEBUG privilage would allow a process to see all other
> processes?
> How does a process give itself DEBUG privilage?

By calling AdjustTokenPrivileges (also take a look at
LookupPrivilegeValue).

> What if the process hiding itself is hooking the API to hide?

I think if the process does a thorough job of hooking APIs that even a


debugger would not see it.

> Which API would it be hooking (rather, how could I hide my process via API
> hooks)?


There are several which it might have to hook, in the ToolHelp and PDH
libraries.

> As for hooking, I have a few general questions that I have been wondering


> for a while.
> Can you remove a hook placed by another procedure (or would it require
> actually rewriting the assembly code in the RAM space of the other process)?

That's a tough one. I think it would have to invade the process which set


the hook, find the hook handle, and call UnhookWindowsHookEx and this is
likely to crash that process. It can't just invade the hooked process and
unload the DLL because that would surely crash that process.

> Can you override a hook placed by another procedure (could it override


> mine)?
> Can you determine if another procedure has placed a hook and what kind?

Take a look at debug hooks.

0 new messages