Controlling Windows process list

In one of my previous posts (check Suspending processes in Windows), I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control. I also announced that a specific way of TaskMgr.exe modification – extending it with the interesting functionality – would be described in the next post. Although, before getting straight to the point (this is – changing the executable binary code), we have to consider someĀ  other important matters. Namely, we intend to have the modification applied to every single Task Manager instance running on the system. Right here, we have a few possible paths to go:

  • Perform a one-time TaskMgr.exe system file alteration on hard disk.
  • Create an additional executable file, called the loader – associated with the Task Manager and launched as its debugger.
  • Leave the hard disk contents unchanged – modify only the virtual memory of all active processes, meeting some specific requirements (in our case – executable image path).

Each option presented above has it’s own set of drawbacks. When it comes to physical HDD modification, we start playing with system file data, which should be always considered dangerous and unwanted behavior. What is more, since Windows keeps many backup copies of core system applications, we would have to get rid of or modify all the existing Task Manager backups. In general, I find the method a little bit too messy to use in practice. If you would like to read more about this subjects, Windows File Protection and Windows Resource Protection should be a good place to start.

Read more

TraceHook v0.0.2

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.

A complete package (EXE + sources): (50 kB)

Read more