Win2k hidden process
[Key words]: Win2k hidden process entry: Zeng Source: huiyun.net Time: 2004-2-20 18:44:42 Click: 62 times
Under the Windows operating system, when we can't end or don't know how to end a program, or too lazy to find the "exit" button, you usually press "Ctrl Alt Del" to call out the task manager, find it wants to end. The program, click "End Task" is something, huh, ha, although it is a bit rude, but most cases are very effective, isn't it? Imagine that if there is such a software, what it wants to do is to limit a certain limit on a certain computer on a computer, but can not be easily relieved by the user through the "end task". Limit, what should I do? There is no such three ways: 1. Mask "Ctrl Alt Del" This hotkey combination; 2. Let the program do not appear in the list of task manager; 3. Let the task manager can't kill this task. For the first method, this is not too cruel. People who are used to "end tasks" will be very uncomfortable; for the second method, the registration service process can be easily used under Windows 9X. The method is realized, but the operating system for the Windows NT architecture does not have this method. The process is difficult to hide, although it is still hidden, but the implementation mechanism is more complicated; for the third method, it is relatively simple, my work: ipgate URL The filter is in this way to prevent killing, and then I will introduce this method. The "End Task" of the task manager is actually a force termination process. It is a Win32 API function called TerminateProcess (), let's take a look at its definition: BOOL TERMINATEPROCESS (Handle HProcess; // will be ended The handle of the process UINT UEXITCODE; / / Specifies the exit code of the process); see it, is it not necessary to see what you want to do next: hook terminalprocess () function, each time terminateProcess () is called The process of judging whether the process ends is my process, if so, simply returns an error code. Is it really so simple? First put forward a problem, how do I determine if it is my process? The answer is: In my process, I get the handle of my process first, then pass the inter-process communication mechanism to pass to the hook function, don't compare with HProcess? wrong! Because the handle is a process-related value, the value of the handle of my process you get in different processes is meaningless. How to do? Let's examine how my hprocess is getting. One process only has its process ID is unique, the operating system identifies a process through the process ID, when a program is accessible, it first has to use the OpenProcess this function and get into the process ID to be accessed. The handle of the process, let's take a look at its parameters: Handle OpenProcess (DWord DwdesiredAccess, // Hopefully Access Access Bool BinheritHandle, // Indicate whether you want the handle to inherit the process ID of DWord dwProcessid // to access); Gradually appears: Before calling TerminateProcess (), you must call OpenProcess (), and dwProcessID in the parameter table of OpenProcess () is unique in the system range.