Hiding Services

  • Thread starter Thread starter Rock
  • Start date Start date
R

Rock

I apologize if this is not hte correct forum to ask this question. It
is a security issue, and we should know the answer.

Does anyone know: if it is possible to hide a service such that it
isn't reported in the TaskManager?

If this technology is available, does anyone have a link which
describes how we can programatically find all the services that are
installed and/or running?

Must all boot and logon services be started through the registry, like
in \Windows NT\Notify for logon services?

The other question is how can we find out if some program has hooked
the IFS (installable file system) such that all read/writes may be
redirected? I have read that some viruses are constructed in this
manner, and I would like to detect this situation.

regards

Rock
 
I meant Processes,

Processes, not services.

Processes not services.

Slip of the fingers.....
 
It can be done through programming techniques - don't know of any program
that can do it after the fact.
 
Yes. Root kit attacks can hide processes from Task Manager. If you suspect such you
should view the processes running via a remote computer and compare it to what is
found running locally. I suggest you use PsList to scan remotely and locally and use
Process Explorer to get more detailed info on processes including what services are
used by an instance of svchost. A computer suspected of a root kit problem should
also be scanned remotely for viruses or by putting the hard drive in another computer
to scan with a different operating system running. --- Steve

http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.giac.org/practical/GSEC/Adam_Gaydosh_GSEC.pdf -- info on root kits.
 
Rock said:
I meant Processes,

Processes, not services.

Processes not services.

Slip of the fingers.....
Click to expand...

Yes. There are a number of ways to do this.
One is to hook NtQuerySystemInformation and strip out the application you
don't want to appear from the return value.
Another is to inject your exe into an already running process (more
difficult)
Subclassing Taskmanager.exe to remove your process from the list
There are probably more methods available, but they are 3 that spring to
mind.

You can use the PSAPI (part of the Platform SDK) to retrieve this
information. You could start here for details:
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/perfmon/base/process_information.asp

Another very nice solution using a kernel mode driver is described here:
http://www.codeproject.com/threads/ProcMon.asp


AFAIK, that's the case.

You could write your own NT service that loads early (has no dependencies
listed) that inserts a system-wide hook using SetWindowsHookEx() looking
for any other application that makes a call to SetWindowsHookEx() or other
functions that would be specific to the IFS and logs it.
 
Back
Top