|
Recently, we received tones of questions about hidden process and rootkit. One frequently asked question is: There is a hidden process detected in my Windows, I know something is wrong, however what does it really mean? As a quick answer, the detection of hidden processes means your system has been attacked, it means the hacker already take the control of your system.
Obviously hiding presence of a malicious program is more advanced than the non-hidden attack. The big threat it poses is the invisibility. The hidden process won't be seen in Task Manager. Beyond that the ordinary anti-spyware and anti-virus tool are not able to detect them either. The intelligent hacker doing this advanced attack might not just intend to steal your credit card number and bank account password or annoying you with some pop up adwares. They might install a hidden backdoor and make your system as a zombie jumping machine to launch attack to other high profile targets.
The hidden process itself could be a spyware key logger, a Trojan Horse or a backdoor. So a common misunderstanding prevailing is we can rely on the ordinary anti-spyware tool and anti-virus tool to detect their existence. Unfortunately the reality is disappointing. Not all ordinary security tools can detect the hidden spyware, virus, Trojan Horse and backdoor's existence. Consequently, there is no way for them to kill and remove them. In order to better understand why the hidden process is hard to be detected, let 's take a closer look at Windows 2k/XP process and the methods by which the ordinary tool detect.
In Windows 2000/XP, process is a container for a set of resources used by threads that executes the instance of program. Process is fundamentally different from program although they appear similar. A program is a static sequence of instructions, At a highest level of abstraction, a Windows 2000/XP process comprises the following:
When a program launches, the Windows 2000/XP system will take a series of actions to create the process for the program. Basically, it opens the image file (.exe file) to be executed, creates process objects, thread objects and starts the execution of first thread. Each process is represented by executive process block (EPROCESS) which is a process object existing in system address space. Besides containing many attributes related to a process, an EPROCESS block contains pointers to a number of other data structures. For example, PEB, a process object in process address space contains the image base address, process heap information and other data required in user mode. In one word, the process expresses the execution of a program by data objects. Getting hold of the process is the only way to find out what the program is doing.
There are a couple of ways to hide processes. In this article, we discuss two frequent used methods.
Method 1:
This method is to hook the native system API. One example is NtQuerySystemProcess API. Most of applications call this API directly or indirectly to retrieve process information. The Hooked NtQuerySystemProcess API can filter out the target process which result sin the process hidden to the calling application. For example, Task Manager enumerates process information by calling QuerySystemInformation API. If a process is filtered out in hooked NtQuerySystemProcess API, that process won't been shown in Task Manager.
Method 2:
Another method is to manipulate the executive process block (EPROCESS) in kernel mode by unlinking the record of target process. This method is lower and more advanced technique than hooking API method. It can cause both system and applications lose track of the hidden process.
Anti-spyware and anti-virus tool detects the malicious program through doing the following.
Without considering the first two methods, method 3 and 4 requires the security tool to get process information first in order to scan the process memory, loaded DLL and watch the process behavior. If the ordinary security tools can not get hold of the process, they are not able to do any check on it. It is obvious that the hidden process make the ordinary security tools blind to them. How bad!
Responding to this advanced attack, WenPoint Corp developed HiddenFinder which is capable of detecting and killing the hidden process and hidden driver. So far, HiddenFinder is able to detect malicious programs hidden by all known methods. HiddenFinder provides the following useful features to allow you quickly find the hidden malicious programs and kill them.
Hacker increasingly threaten our information security with their new techniques. Therefore, we must take steps to protect our computer against methods of hacking ever though there are still many unknown things outside.