windows - How to prevent my process from CreateToolhelp32Snapshot? -


is there way prevent process detecting process using createtoolhelp32snapshot?

if in environment need protect users these users need non-admin users , can create service or task runs different user cannot killed.

if absolutely need hide process , chosen method injection & hooking there @ least 6 things need hook in user-mode:

  • the toolhelp api
  • the nt4 process api in psapi.dll
  • the undocumented native nt api
  • the terminal server api
  • performance counters
  • wmi

a "better" solution remove process psactiveprocesshead list need in kernel-mode , means writing custom driver. if go down route program labeled malware/rootkit security tools (and rightly so).


Comments

Popular posts from this blog

ZeroMQ on Windows, with Qt Creator -

unity3d - Unity SceneManager.LoadScene quits application -

python - Error while using APScheduler: 'NoneType' object has no attribute 'now' -