在任务管理器中隐藏 C# 程序?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1212318/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Hide a C# program from the task manager?
提问by devnull
Is there any way to hide a C# program from the Windows Task Manager?
有没有办法从 Windows 任务管理器中隐藏 C# 程序?
EDIT: Thanks for the overwhelming response! Well I didn't intend to do something spooky. Just wanted to win a bet with my friend that I can do it without him noticing. And I'm not a geek myself to be able to write a rootkit, as someone suggested though I'd love to know how to do it.
编辑:感谢您的热烈响应!好吧,我并不打算做一些令人毛骨悚然的事情。只是想和我的朋友打个赌,我可以在他不注意的情况下做到这一点。而且我自己也不是一个能够编写 rootkit 的极客,正如有人建议的那样,尽管我很想知道如何去做。
采纳答案by Jon Skeet
Not that I'm aware of - and there shouldn't be. The point of the task manager is to allow users to examine processes etc.
不是我知道 - 而且不应该有。任务管理器的目的是允许用户检查进程等。
If the user should be able to do that, they should be able to find your program. If they shouldn't be poking around in Task Manager, group policy should prevent that - not your program.
如果用户应该能够这样做,他们应该能够找到您的程序。如果他们不应该在任务管理器中闲逛,组策略应该阻止它 - 而不是你的程序。
回答by Winston Smith
You shouldn't hide it, but you could prevent the user from killing the process.
你不应该隐藏它,但你可以阻止用户终止进程。
回答by samoz
You could make your program a service and then it would appear as "svchost". There's a little more to it than that, but that should give you a hint to go in the right direction.
您可以使您的程序成为服务,然后它会显示为“svchost”。还有更多的东西,但这应该给你一个提示,让你朝着正确的方向前进。
回答by Mike Trpcic
I'm not aware of any way to hide it from the task manager, but you could just disguise it by making it show up as "svchost.exe". It'll get lumped in with all the others (there's usually several), and will become indistinguishable.
我不知道有什么方法可以将它隐藏在任务管理器中,但您可以通过使其显示为“svchost.exe”来伪装它。它将与所有其他人混为一谈(通常有几个),并且变得无法区分。
回答by MitchellKrenz
Don't mean to zombie this but i thought i could contribute some useful information
不是要僵尸这个,但我想我可以贡献一些有用的信息
If you want to hide a application there a two methods (that i can think of atm).
如果你想隐藏一个应用程序,有两种方法(我可以想到 atm)。
They both have their ups and downs
他们都有自己的起起落落
[1] SSDT Table hooking- basically you have to set the MDL of the table to writeable, overwrite the address of NtQuerySystemInformation
(iirc) with the address of your function and have it call the original function after filtering the results.
[1] SSDT 表挂钩- 基本上你必须将表的 MDL 设置为可写,用NtQuerySystemInformation
你的函数地址覆盖(iirc) 的地址,并让它在过滤结果后调用原始函数。
This method doesn't suit your needs very well because the hooking function would always need to be in memory and would involve writing a kernel mode driver. Its a fun thing to do but debugging is a pain because an exception means a BSOD.
这种方法不太适合您的需求,因为挂钩函数总是需要在内存中,并且需要编写内核模式驱动程序。这是一件有趣的事情,但调试很痛苦,因为异常意味着 BSOD。
[2] Direct Kernel Object Manipulation (DKOM)- the list of processes is a doubly linked list, with a kernel mode driver you can alter the pointers of the records above and below your process to point around yours. This still requires the use of a kernel mode driver but there are rootkits such as FU that can be easily downloaded that contain an exe and the service. The exe could be called from inside your application as a child process (in the released version of FU, at least the one I found, there was a bug which I had to fix where if the hidden application exited the computer would BSOD, it was a trivial fix).
[2]直接内核对象操作 (DKOM)- 进程列表是一个双向链表,通过内核模式驱动程序,您可以更改进程上方和下方记录的指针以指向您的进程。这仍然需要使用内核模式驱动程序,但可以轻松下载包含 exe 和服务的 FU 等 rootkit。exe 可以作为子进程从您的应用程序内部调用(在 FU 的发布版本中,至少我发现的那个版本中,有一个错误我必须修复,如果隐藏的应用程序退出计算机会蓝屏,它是一个微不足道的修复)。
This will thankfully be caught by almost any decent antivirus so if you are trying to do something sneaky you'll have to learn to get around that (hint: they use a binary signature)
值得庆幸的是,几乎所有像样的防病毒软件都可以捕获它,因此如果您试图做一些偷偷摸摸的事情,则必须学会解决这个问题(提示:它们使用二进制签名)
I have not used method 1 ever but method 2 has worked for me from a VB.Net application.
我从来没有使用过方法 1,但方法 2 从 VB.Net 应用程序中对我有用。
A third possible option is to just create the application as a windows service, this will show up in task manager by default but I'm willing to bet that there is a way to tell it to not show up there since there are plenty of other services which don't show up in task manager.
第三种可能的选择是将应用程序创建为 Windows 服务,默认情况下这将显示在任务管理器中,但我敢打赌有一种方法可以告诉它不显示在那里,因为还有很多其他的没有出现在任务管理器中的服务。
Hope I helped a little, my advice is that if you are interested in this kind of stuff to learn C++.
希望我有所帮助,我的建议是,如果您对此类东西感兴趣,可以学习 C++。