LVM_FINDITEM

hxhl95

I just read this article: http://www.codeproject.com/KB/system/Hack_Windows_Task_Manager.aspx[^], and I thought it would be quite interesting if an app is able to modify one entry in task manager's listbox, thus hiding itself. It sounded easy enough to replace LVM_DELETECOLUMN with LVM_DELETEITEM, but I'm getting strange errors with SendMessage. So right now I have something like this:

LVFINDINFO findInfo;
ZeroMemory(&findInfo, sizeof(LVFINDINFO));
findInfo.flags=LVFI_STRING;
findInfo.psz=(LPCSTR)"myTest.exe";

Then I tried this (hWnd is for Windows Task Manager, not my app):

int index = ::SendMessage(hWnd,LVM_FINDITEM,(WPARAM)0,(LPARAM)(const LVFINDINFO FAR*)&findInfo);
if (index!=-1) ::SendMessage(hWnd,LVM_DELETEITEM,index,0);

It crashes taskmgr. I was browsing through the comments on that article when I found a piece of code in Delphi that supposedly does what I'm trying to do. After my attempt to translate it into C++, it looks like this:

DWORD ProcessID;
GetWindowThreadProcessId(hWnd,&ProcessID);
HANDLE pHandle=OpenProcess(PROCESS_ALL_ACCESS,FALSE, ProcessID);
if (pHandle!=NULL){
LPVOID address=VirtualAllocEx(pHandle,NULL,sizeof(findInfo),MEM_RESERVE | MEM_COMMIT,PAGE_READWRITE);
if (WriteProcessMemory(pHandle,address,&findInfo,sizeof(findInfo),NULL)!=FALSE){
int index = ::SendMessage((HWND)pHandle,LVM_FINDITEM,(WPARAM)0,(LPARAM)(const LVFINDINFO FAR*)address);
if (index!=-1) ::SendMessage(hWnd,LVM_DELETEITEM,index,0);
}
CloseHandle(pHandle);
VirtualFreeEx(pHandle,NULL,sizeof(findInfo),MEM_DECOMMIT);

	}

Unfortunately, that doesn't work either. The LVM_FINDITEM SendMessage returns 0, so all it's doing right now is deleting the first entry off taskmgr every 10 milliseconds. If anyone could correct me on my usage of SendMessage with LVM_FINDITEM that would be appreciated. :)

Michael Dunn

Did you also allocate the string (stored in findInfo.psz) in the other process's address apace?

--Mike-- Visual C++ MVP :cool: LINKS~! CP SearchBar v3.0 | C++ Forum FAQ I work for Keyser Söze

hxhl95

:wtf: I don't quite understand what you just said. :confused: The listbox that I'm searching does have the entry "myTest.exe", if that's what you're saying.

AlexAbramov

Another way to hide entries would be to hook the ZwQuerySystemInformation API, which Task Manager calls to get a list of the running processes on the system. You can modify the linked list of processes returned by changing around the NextEntryDelta member of the SYSTEM_PROCESS_INFORMATION struct once the process is found (ProcessName member). I don't really see why you'd want to hide a process from Task Manager though -- outside of malicious purposes.

hxhl95

I get dizzy everytime I look at something related to drivers. You DO need to create a driver to hook the ZwQuerySystemInformation API right? I've been trying to learn how to hook the NT kernel functions for a long time now, and I'm not getting anywhere. There aren't any good tutorials :sigh: And also, that isn't really my goal. As I said in my post, I just read an article on modifying Task Manager's listboxes and I was curious if that meant a process could be able to hide itself. I'm not doing this for any malicious purposes. Just doing it to satisfy my curiosity ;P

AlexAbramov

If you don't like drivers then its possible to hook that function in a DLL and inject the DLL into Task Manager. Although I'd go with NtQuerySystemInformation then instead of Zw, since Zw are more commonly used from kernel mode and you want to intercept it in user-mode. Nt vs. Zw - Clearing Confusion On The Native API[^] --- Similiar technique in action[^]

hxhl95

:omg: It's possible to hook kernel functions without writing a driver? I didn't know that. ;P

krishnakumartm

Thank U for valuble question. The suggestion for allocating string other process worked well, but i need to set the postion for that i have to use LVM_SETITEMPOSITION, how can i create the POINT value in the other process. Thanks in advance.

---------------------------- KRISHNA KUMAR T M