How do some viruses run their threads without appareaning in the task manager?
-
I've newly noticed that there's an unwanted activity among processes running on my computer that creates an "autorun.inf" and an exe named "khg.exe" in every removable memory attached to the computer. When I monitored the running processes, I found they're created by "Windows Explorer" !!! Ofcourse I can't accuse Microsoft :laugh: , but I can't understand, how it's possible to run a thread through another processes? :wtf: I know the other processes, they are safe and sound :)
Thank you masters!
-
I've newly noticed that there's an unwanted activity among processes running on my computer that creates an "autorun.inf" and an exe named "khg.exe" in every removable memory attached to the computer. When I monitored the running processes, I found they're created by "Windows Explorer" !!! Ofcourse I can't accuse Microsoft :laugh: , but I can't understand, how it's possible to run a thread through another processes? :wtf: I know the other processes, they are safe and sound :)
Thank you masters!
Actually it is possible to run a our thread in a another process using CreateRemoteThread, that is something which is related to code injection. And if we consider about processes run without shown in the Task Manger is actually done with the help of a technique called API Hooking(API Hooking (LoadLibrary)[^]). In task Manager every process is updated shown using PSAPI, if we hook those API, it will possible to change the behaviour of task manager, even you can do that using API hooking technique.
Величие не Бога может быть недооценена.
modified on Thursday, August 27, 2009 3:10 AM
-
Actually it is possible to run a our thread in a another process using CreateRemoteThread, that is something which is related to code injection. And if we consider about processes run without shown in the Task Manger is actually done with the help of a technique called API Hooking(API Hooking (LoadLibrary)[^]). In task Manager every process is updated shown using PSAPI, if we hook those API, it will possible to change the behaviour of task manager, even you can do that using API hooking technique.
Величие не Бога может быть недооценена.
modified on Thursday, August 27, 2009 3:10 AM
I really thank you for your answer; you're probably a good virus writer ;) But I actually meant to know if there's anyway to write a DLL or something and force windows explorer to load and run it when OS starts. I guess it should be involved with registry some how.
-
I really thank you for your answer; you're probably a good virus writer ;) But I actually meant to know if there's anyway to write a DLL or something and force windows explorer to load and run it when OS starts. I guess it should be involved with registry some how.
I hardly wrote any virus program :), but yes wrote few antivirus patches. :) Just add your program path to the below key. Which enable your program to start at StartUp of Windows login. HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Величие не Бога может быть недооценена.
-
I really thank you for your answer; you're probably a good virus writer ;) But I actually meant to know if there's anyway to write a DLL or something and force windows explorer to load and run it when OS starts. I guess it should be involved with registry some how.
Jusef Marzbany wrote:
But I actually meant to know if there's anyway to write a DLL or something and force windows explorer to load and run it when OS starts.
With a DLL, not directly. You'd need to use Rundll32.exe to get it going. If you already had an EXE, then yes. In either case, the registry would be involved.
"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons