Hiding from NT TaskManager

Here and there, people keep asking – “How do I hide my process in Windows NT/2000/XP?”. Nearly everyone knows how to do that on Windows 95/98, but there is no definite answer for NT-based systems. So today I’ll give you a short summary of four methods that can be used to hide your process on NT…

Warning : This information is intended for educational purposes only!

DLL Injection
The simplest ways to hide a process is to have no process 😉 Basically what you need to do is place your meaningful code in a DLL, inject that DLL in an inconspicuous process (like Explorer.exe) and run your code. This can be fairly easily achieved by CreateRemoteThread() API function. I have created a sample application & DLL that demonstrate this approach.
Download wsHideDLL.zip (10 Kb, Delphi)

Good : Simplicity, doesn’t affect system stability very much.
Bad : Works only on NT.

API hooking
On NT systems process list is often obtained by calling NtQuerySystemInformation() API function. If you hook this function, you can make you process invisible to other processes. You can similarly hook Process32Next and other functions on other Windows versions to achieve the same result. The problem usually is that API hooking is a non-trivial task, so most likely you’ll end up looking for premade libraries… which are damn expensive.

Good : Depends on hooking method/library. No special considerations for your application (unlike when writing and injecting a DLL).
Bad : Depends on hooking method/library.
Links :
    Description of some APIs you could hook
    Hooking WinNT/2K/XP API
    madCodeHook library
    Hook-API SDK

Writing a driver
Drivers can do anything, so there surely is a way create a custom driver that will hide your process. There is an example of a driver like that and a program using it here (C and Visual Basic). Apparently there is an internal process list in Windows OS that can be modified by this driver. Good luck trying to understand this code 😉

Good : Extremely effective.
Bad : Hard to port, messing with OS internals can cause it to crash. Writing a driver is a complex task.

Hacking TaskManager itself
An ingenious way to solve the problem of hiding your process is to delete it from the “Processes” tab in Task Manager, literally. The list is a SysListView32 control and you can use SendMessage() to tell it to delete specific items. Read the article here : Hack Windows Task Manager.

Good : Clever. I didn’t realize it could be done like that.
Bad : Works only on Task Manager.

I hope this article was useful to you 🙂

Related posts :

3 Responses to “Hiding from NT TaskManager”

  1. […] Note : most functions that access the toolbar will expect you to provide the data/buffers from the adress space of explorer.exe process. So you will need to either use WriteProcessMemory() & ReadProcessMemory() or inject you DLL into the target process. I will assume the latter, as it will notably simplify the task. The former approach is described in this article on CodeProject, which served as basis and inspiration for this post. I included a simple DLL-injection example in my Hiding from NT Task Manage article. […]

  2. NoooH says:

    Peace Up,

    Thanks a lot, I think you found what I’m looking for.

  3. nr says:

    Hi,
    Thanks alot,
    Very nice and practical ways.

    Goodluck.

Leave a Reply