Hiding Services

Toggle sidebar Toggle sidebar
R

Rock

Distinguished
Oct 13, 2002
1,242
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

I apologize if this is not hte correct forum to ask this question. It
is a security issue, and we should know the answer.

Does anyone know: if it is possible to hide a service such that it
isn't reported in the TaskManager?

If this technology is available, does anyone have a link which
describes how we can programatically find all the services that are
installed and/or running?

Must all boot and logon services be started through the registry, like
in \Windows NT\Notify for logon services?

The other question is how can we find out if some program has hooked
the IFS (installable file system) such that all read/writes may be
redirected? I have read that some viruses are constructed in this
manner, and I would like to detect this situation.

regards

Rock
 
R

Rock

Distinguished
Oct 13, 2002
1,242
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

I meant Processes,

Processes, not services.

Processes not services.

Slip of the fingers.....

On Wed, 15 Sep 2004 18:20:06 GMT, Rock <rock1@hotmail.com> wrote:

>I apologize if this is not hte correct forum to ask this question. It
>is a security issue, and we should know the answer.
>
>Does anyone know: if it is possible to hide a service such that it
>isn't reported in the TaskManager?
>
>If this technology is available, does anyone have a link which
>describes how we can programatically find all the services that are
>installed and/or running?
>
>Must all boot and logon services be started through the registry, like
>in \Windows NT\Notify for logon services?
>
>The other question is how can we find out if some program has hooked
>the IFS (installable file system) such that all read/writes may be
>redirected? I have read that some viruses are constructed in this
>manner, and I would like to detect this situation.
>
>regards
>
>Rock
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

It can be done through programming techniques - don't know of any program
that can do it after the fact.

--
Mike Matheny

"Rock" <rock1@hotmail.com> wrote in message
news:4d2hk0t04i544kgn0iai6joqv1i4d6b2f5@4ax.com...
> I meant Processes,
>
> Processes, not services.
>
> Processes not services.
>
> Slip of the fingers.....
>
> On Wed, 15 Sep 2004 18:20:06 GMT, Rock <rock1@hotmail.com> wrote:
>
> >I apologize if this is not hte correct forum to ask this question. It
> >is a security issue, and we should know the answer.
> >
> >Does anyone know: if it is possible to hide a service such that it
> >isn't reported in the TaskManager?
> >
> >If this technology is available, does anyone have a link which
> >describes how we can programatically find all the services that are
> >installed and/or running?
> >
> >Must all boot and logon services be started through the registry, like
> >in \Windows NT\Notify for logon services?
> >
> >The other question is how can we find out if some program has hooked
> >the IFS (installable file system) such that all read/writes may be
> >redirected? I have read that some viruses are constructed in this
> >manner, and I would like to detect this situation.
> >
> >regards
> >
> >Rock
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Yes. Root kit attacks can hide processes from Task Manager. If you suspect such you
should view the processes running via a remote computer and compare it to what is
found running locally. I suggest you use PsList to scan remotely and locally and use
Process Explorer to get more detailed info on processes including what services are
used by an instance of svchost. A computer suspected of a root kit problem should
also be scanned remotely for viruses or by putting the hard drive in another computer
to scan with a different operating system running. --- Steve

http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.giac.org/practical/GSEC/Adam_Gaydosh_GSEC.pdf -- info on root kits.

"Rock" <rock1@hotmail.com> wrote in message
news:4d2hk0t04i544kgn0iai6joqv1i4d6b2f5@4ax.com...
>I meant Processes,
>
> Processes, not services.
>
> Processes not services.
>
> Slip of the fingers.....
>
> On Wed, 15 Sep 2004 18:20:06 GMT, Rock <rock1@hotmail.com> wrote:
>
>>I apologize if this is not hte correct forum to ask this question. It
>>is a security issue, and we should know the answer.
>>
>>Does anyone know: if it is possible to hide a service such that it
>>isn't reported in the TaskManager?
>>
>>If this technology is available, does anyone have a link which
>>describes how we can programatically find all the services that are
>>installed and/or running?
>>
>>Must all boot and logon services be started through the registry, like
>>in \Windows NT\Notify for logon services?
>>
>>The other question is how can we find out if some program has hooked
>>the IFS (installable file system) such that all read/writes may be
>>redirected? I have read that some viruses are constructed in this
>>manner, and I would like to detect this situation.
>>
>>regards
>>
>>Rock
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Rock <rock1@hotmail.com> said

> I meant Processes,
>
> Processes, not services.
>
> Processes not services.
>
> Slip of the fingers.....
>
> On Wed, 15 Sep 2004 18:20:06 GMT, Rock <rock1@hotmail.com> wrote:
>
>>I apologize if this is not hte correct forum to ask this question. It
>>is a security issue, and we should know the answer.
>>
>>Does anyone know: if it is possible to hide a service such that it
>>isn't reported in the TaskManager?

Yes. There are a number of ways to do this.
One is to hook NtQuerySystemInformation and strip out the application you
don't want to appear from the return value.
Another is to inject your exe into an already running process (more
difficult)
Subclassing Taskmanager.exe to remove your process from the list
There are probably more methods available, but they are 3 that spring to
mind.

>>
>>If this technology is available, does anyone have a link which
>>describes how we can programatically find all the services that are
>>installed and/or running?

You can use the PSAPI (part of the Platform SDK) to retrieve this
information. You could start here for details:
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/perfmon/base/process_information.asp

Another very nice solution using a kernel mode driver is described here:
http://www.codeproject.com/threads/ProcMon.asp


>>
>>Must all boot and logon services be started through the registry, like
>>in \Windows NT\Notify for logon services?

AFAIK, that's the case.

>>
>>The other question is how can we find out if some program has hooked
>>the IFS (installable file system) such that all read/writes may be
>>redirected? I have read that some viruses are constructed in this
>>manner, and I would like to detect this situation.
>>

You could write your own NT service that loads early (has no dependencies
listed) that inserts a system-wide hook using SetWindowsHookEx() looking
for any other application that makes a call to SetWindowsHookEx() or other
functions that would be specific to the IFS and logs it.

--
Andy.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom