發表文章

目前顯示的是 十二月, 2019的文章

Process Hidden In Just one line code (Windows)

圖片
Hi there!

It was an interesting case I found accidentally when building a C program to do self-update. For a Windows Programmer, it's nature to consider about using Win32 API -- MoveFileA to rename or move a file:


And the interesting thing is, this API allowed us to use in the dynamic state. In other words, Windows kernel allows you to change your *.exe file name even when your program runs, or moves your self to the other directories. So I got curiosity what whould happen if the *.exe file name was not matched static file name (stored in PEB)



First, I tried to change current file name when the program ran, and the result is as follow:

In process explorer, the program name was displayed as the name written into PEB when file mapping. It can be found that process explorer shows process name by the file name recorded by PEB. But how is it in task manager?



Task manager lists all process name with Win32 API -- EnumProcesses (I guess so), so the process name will be shown as the new fi…