19

Is there any way to hide a C# program from the Windows Task Manager?

EDIT: Thanks for the overwhelming response! Well I didn't intend to do something spooky. Just wanted to win a bet with my friend that I can do it without him noticing. And I'm not a geek myself to be able to write a rootkit, as someone suggested though I'd love to know how to do it.

softwarematter
  • 28,015
  • 64
  • 169
  • 263
  • 13
    Why would you want to do something like this? – Daniel A. White Jul 31 '09 at 12:39
  • 4
    I don't know the answer, but if I did, I'd be inclined to ask about your reasons for doing so before explaining just how to go about doing this. – Samir Talwar Jul 31 '09 at 12:40
  • 6
    yes, there is: don't start it – RaYell Jul 31 '09 at 12:41
  • 3
    I think we all know exactly what kind of program needs to do this X-) – Adriaan Stander Jul 31 '09 at 12:43
  • 8
    I think it's a valid and interesting question. – Roee Adler Jul 31 '09 at 12:48
  • I can think of a few non-malicious reasons for it when it comes to monitoring computers. Is it right or correct? Probably not but it could be argued as a valid reason. – Tony Jul 31 '09 at 12:53
  • 1
    Anything could be argued, but the OP should come back and tell us if our speculations are correct. – John Saunders Jul 31 '09 at 13:03
  • These posts might be of use: http://www.google.com/search?q=site%3Astackoverflow.com+sony+rootkit – Greg Jul 31 '09 at 13:27
  • 2
    Not everyone who buys sharp knives is a murderer. – LeopardSkinPillBoxHat Nov 13 '09 at 01:14
  • 1
    If you need this for monitoring user activity, the legitimate solution is **don't** hide it from the task manager; just adjust permissions so that it can't be killed with anyone that's not a domain admin. – 3Dave Dec 11 '09 at 18:17
  • possible duplicate of [Is it possible to hide console C# application from Task Manager ?](http://stackoverflow.com/questions/759466/is-it-possible-to-hide-console-c-application-from-task-manager) – Fred Nurk Feb 07 '11 at 05:43
  • 1
    possible duplicate of [How do I hide a process in Task Manager in C#?](http://stackoverflow.com/questions/187983/how-do-i-hide-a-process-in-task-manager-in-c) – Fred Nurk Mar 14 '11 at 02:42

5 Answers5

29

Not that I'm aware of - and there shouldn't be. The point of the task manager is to allow users to examine processes etc.

If the user should be able to do that, they should be able to find your program. If they shouldn't be poking around in Task Manager, group policy should prevent that - not your program.

Jon Skeet
  • 1,421,763
  • 867
  • 9,128
  • 9,194
19

Don't mean to zombie this but i thought i could contribute some useful information

If you want to hide a application there a two methods (that i can think of atm).

They both have their ups and downs

[1] SSDT Table hooking - basically you have to set the MDL of the table to writeable, overwrite the address of NtQuerySystemInformation (iirc) with the address of your function and have it call the original function after filtering the results.

This method doesn't suit your needs very well because the hooking function would always need to be in memory and would involve writing a kernel mode driver. Its a fun thing to do but debugging is a pain because an exception means a BSOD.

[2] Direct Kernel Object Manipulation (DKOM) - the list of processes is a doubly linked list, with a kernel mode driver you can alter the pointers of the records above and below your process to point around yours. This still requires the use of a kernel mode driver but there are rootkits such as FU that can be easily downloaded that contain an exe and the service. The exe could be called from inside your application as a child process (in the released version of FU, at least the one I found, there was a bug which I had to fix where if the hidden application exited the computer would BSOD, it was a trivial fix).

This will thankfully be caught by almost any decent antivirus so if you are trying to do something sneaky you'll have to learn to get around that (hint: they use a binary signature)

I have not used method 1 ever but method 2 has worked for me from a VB.Net application.

A third possible option is to just create the application as a windows service, this will show up in task manager by default but I'm willing to bet that there is a way to tell it to not show up there since there are plenty of other services which don't show up in task manager.

Hope I helped a little, my advice is that if you are interested in this kind of stuff to learn C++.

ckittel
  • 6,478
  • 3
  • 41
  • 71
MitchellKrenz
  • 423
  • 4
  • 14
14

You could make your program a service and then it would appear as "svchost". There's a little more to it than that, but that should give you a hint to go in the right direction.

samoz
  • 56,849
  • 55
  • 141
  • 195
7

I'm not aware of any way to hide it from the task manager, but you could just disguise it by making it show up as "svchost.exe". It'll get lumped in with all the others (there's usually several), and will become indistinguishable.

Mike Trpcic
  • 25,305
  • 8
  • 78
  • 114
  • Not really - you can still see the path of the executable in Task Manager. – xyz Jul 31 '09 at 13:17
  • 1
    @frou: Yeah, but if you just name it svchost.exe and drop it somewhere underneath c:/Windows, most people would just think it's a regular windows application. – Mike Trpcic Jul 31 '09 at 13:25
  • 1
    Blah - simply calling it svchost.exe is a messier/less-effective version of what samoz suggests :) – xyz Jul 31 '09 at 14:21
  • 1
    +1 - I think this is one of the more common techniques for obfuscating malware. – Mayo Dec 11 '09 at 18:20
3

You shouldn't hide it, but you could prevent the user from killing the process.

See Chris Smith's answer to this question.

Community
  • 1
  • 1
Winston Smith
  • 21,585
  • 10
  • 60
  • 75