Hiding proccess from task manager

**BobS0327** · 04-19-2007

A hidden userland process can be easily detected. It leaves a large memory footprint. For instance, you would also have to hide the kernel handles opened by that process. The hidden process can be tracked down by searching the kernel open handles if they are not hidden. A lot of malware is written on the kernel level in the form of device drivers.

But anyway, Direct Kernel Object Manipulation (DKOM) is one method of hiding a process. The list of active processes is obtained by traversing a doubly linked list referenced in the EPROCESS structure of each process. A process ’s EPROCESS structure contains a LIST_ENTRY structure that has the members FLINK and BLINK. FLINK and BLINK are pointers to processes in front of and behind the current process. You must change the FLINK and BLINK pointer values of the forward and rearward EPROCESS blocks to point around the process to be hidden.

Obviously, there is lot more to hiding a process than just changing the pointers. But this is just a starting point for your journey down the road of knowledge.

Thread: Hiding proccess from task manager

Thread Tools

Search Thread

Display

Threaded View

Similar Threads

Task Manager: Applications vs Processes

hide from task manager

Task Manager technic

What's the code for a program to run in Task manager, under the processes tab

Scheduling Algo