Process Hidden In Just one line code (Windows)
Hi there!
It was an interesting case I found accidentally when building a C program to do self-update. For a Windows Programmer, it's nature to consider about using Win32 API -- MoveFileA to rename or move a file:
And the interesting thing is, this API allowed us to use in the dynamic state. In other words, Windows kernel allows you to change your *.exe file name even when your program runs, or moves your self to the other directories. So I got curiosity what whould happen if the *.exe file name was not matched static file name (stored in PEB)
First, I tried to change current file name when the program ran, and the result is as follow:
In process explorer, the program name was displayed as the name written into PEB when file mapping. It can be found that process explorer shows process name by the file name recorded by PEB. But how is it in task manager?
Task manager lists all process name with Win32 API -- EnumProcesses (I guess so), so the process name will be shown as the new file name. But the file path in detail is based on the record of PEB.
So I got a good idea to try ;)
We could modify the program name to "Microsoft Update Service" and the result is:
It's easy for us to cheat users with the fake program name in task manager, with just one line code.
It was an interesting case I found accidentally when building a C program to do self-update. For a Windows Programmer, it's nature to consider about using Win32 API -- MoveFileA to rename or move a file:
And the interesting thing is, this API allowed us to use in the dynamic state. In other words, Windows kernel allows you to change your *.exe file name even when your program runs, or moves your self to the other directories. So I got curiosity what whould happen if the *.exe file name was not matched static file name (stored in PEB)
First, I tried to change current file name when the program ran, and the result is as follow:
In process explorer, the program name was displayed as the name written into PEB when file mapping. It can be found that process explorer shows process name by the file name recorded by PEB. But how is it in task manager?
Task manager lists all process name with Win32 API -- EnumProcesses (I guess so), so the process name will be shown as the new file name. But the file path in detail is based on the record of PEB.
So I got a good idea to try ;)
We could modify the program name to "Microsoft Update Service" and the result is:
It's easy for us to cheat users with the fake program name in task manager, with just one line code.
留言
張貼留言