How to Detect Hidden Processes

Question

Wondering how does an application like "Process Explorer" or "Combo Fix" detect hidden process ??? I'm assuming this must be done in C or C++. Its easy enough to access the process list even in .NET however this is not always accurate, I know root kits can mask themselves from task manager. Is it through memory access and IO ? Curious if anyone knows how this is accomplished.

Answer 1

This question can't be answered. It depends how the process has been hidden in the first place. For example, someone can hide a process by injecting a usermode DLL to all processes which hooks EnumProcesses, Process32Next, etc. and all the other APIs related to process enumeration. This would be bypassed with a trampoline which skips the hook.

However, if the process was hidden through modifying the kernel EPROCESS linked list which holds a list of processes, then another method would be needed to subvert the code which performed the hiding. If you define how you think a process is being 'hidden', maybe we can suggest how to detect it. What processes do you think are being hidden but still being discovered by Process Explorer?

---

Also taking what you say into consideration that there could be multiple ways to hide a process. What are some of the common ways to detect this ?

The problem is that if you have no idea what you are looking for, it's almost impossible to find it. Suppose a process has made itself hidden to the task manager by hooking EnumProcesses. You might think this would be an easy case to detect. However, the process could be hooking EnumProcesses through a variety of different ways. For example, an unconditional hook at the start of the function, an IAT hook, causing an access violation to occur at EnumProcessesand catching that with a VEH and modifying the EIP/RIP, etc. etc. Even in this simple case, it is not possible to guarantee detection of the hook. This is all assuming that the hook has been performed at usermode on a specific API and also that the code makes no attempt to hide itself from detection.

If you are looking for general guidelines, the best method is probably to look at common detouring techniques. Once you know how a method works, it is trivial to write code to detect the manipulation.

Perhaps if you gave the motivation to write this sort of code or what purpose it would serve, we would be able to help you better.

---

If you are looking for ways that programs detour execution of other processes, it is usually through one of two means:

• Dynamic (Runtime) Detouring - This is the more common method and is what is used by libraries such as Microsoft Detours. Here is a relevant paper where the first few bytes of a function are overwritten to unconditionally branch to the instrumentation.
• (Static) Binary Rewriting - This is a much less common method for rootkits, but is used by research projects. It allows detouring to be performed by statically analysing and overwriting a binary. An old (not publicly available) package for Windows that performs this is Etch. This paper gives a high-level view of how it works conceptually.

Although Detours demonstrates one method of dynamic detouring, there are countless methods used in the industry, especially in the reverse engineering and hacking arenas. These include the IAT and breakpoint methods I mentioned above. To 'point you in the right direction' for these, you should look at 'research' performed in the fields of research projects and reverse engineering.