Invisible Processes

Discussion in 'Windows Vista Security' started by Adahn, Mar 12, 2006.

  1. Adahn

    Adahn Guest

    Vista should not make it possible for a process to stay invisible;

    Either improve the Task Manager, fix the base process-enumeration APIs, or
    drop any mention of "security" from the hype.
     
    Adahn, Mar 12, 2006
    #1
    1. Advertisements

  2. I totally agree with you - the one way I tell if a virus or malware is on a
    system is to check in Task Manager. You can normally spot them because of
    the way they act, low RAM usage but higher CPU usage and the name of the
    process in general, and if the Task Manager continues to be the way it is
    and hide processes, it'll be harder and harder to track things like viruses.

    You see, OK Vista has Defender installed and running by default, but that
    only picks up the lower-end-of-the-scale-malware, spyware and stuff. However
    if you have an actual virus, there'll be no way of getting rid of it unless
    you have an anti-virus installed... it just makes more sense to have
    everything show up so I totally agree with you.

    --
    Zack Whittaker
    Microsoft Beta (Windows Server R2 Beta Mentor)
    » ZackNET Enterprises: www.zacknet.co.uk
    » MSBlog on ResDev: http://msblog.resdev.net
    » ZackNET Forum: www.zacknet.co.uk/forum
    » VistaBase: www.zacknet.co.uk/vistabase
    » This mailing is provided "as is" with no warranties, and confers no
    rights. All opinions expressed are those of myself unless stated so, and not
    of my employer, best friend, mother or cat. Let's be clear on that one!


    --- Original message follows ---
     
    Zack Whittaker \(R2 Mentor\), Mar 12, 2006
    #2
    1. Advertisements

  3. Adahn

    Guest Guest

    "You can normally spot them because of
    the way they act, low RAM usage but higher CPU usage and the name of the
    process in general, and if the Task Manager continues to be the way it
    is
    and hide processes, it'll be harder and harder to track things like
    viruses."

    So much for Vista being "security"...
     
    Guest, Mar 13, 2006
    #3
  4. Adahn

    Howard Guest

    Also task manager needs to show when the executable file is located.
     
    Howard, Mar 13, 2006
    #4
  5. I am not sure what you mean. If you are talking about the ability of
    maleware to infect the kernel to hide itself, then 64bit XP and Vista has
    what is called PatchGuard. This prevents malware (actually anybody for
    that matter) from hooking any of the kernel tables like SSDT and IDT and
    also the in-memory image of the kernel. This will make it very hard for
    malware to hide itself.

    Soumik.
     
    Soumik Sarkar, Mar 14, 2006
    #5
  6. Adahn

    Adahn Guest

    Thanks Zack, help get this issue out to MS will you, here's the details;


    I never paid much thought to "root-kits" and the like until I decided to try
    Maple Story (www.mapleglobal.com) under build 5270, as it had previously
    resulted in BSODs and worse under 5219.

    Now, during installation or the first-run, Windows Defender reports a new
    service: \system32\npptNT2.sys

    even if you elect to Block it, once the game runs you can find no traces of
    it in any system monitoring tool...


    Now this raises several issues;

    1: It's all good that the Defender picked it up, but shouldn't it be handled
    at the core/kernel level, to make it impossible for a process to stay
    invisible?

    2: If we're too aggressive in blocking such behavior, it'll obviously break
    the program and prevent it from running at all, of course, but with all that
    talk of Virtualisation and whatnot in Vista, shouldn't the OS be able to
    just "lie" and assure the process that it has been hidden?

    3: As an online game that uses live cash transactions, Maple Story has every
    right to prevent hacking in any ways that it can, but what's to keep
    malicious apps, or even Microsoft themselves for that matter, to inject
    invisible processes into your system?

    4: If, has others have mention on these forums, third-party tools are able
    to detect and report invisible apps, why not Task Manager itself?
     
    Adahn, Mar 14, 2006
    #6
  7. Adahn

    Howard Guest

    I just want to add that rootkits cannot be installed on x64 systems.
     
    Howard, Mar 15, 2006
    #7
  8. Yet. Never underestimate the hoodlums.
     
    Pierre Szwarc, Mar 15, 2006
    #8
  9. Adahn

    Alun Jones Guest

    Never mistake "has not" for "cannot".

    As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my take
    is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you can
    always insert a rootkit between the BIOS and the OS. Since any non-quantum
    computer can be emulated by any other non-quantum computer to any degree of
    accuracy, there is always a way to do this, as long as you can get the darn
    thing past the requirement of needing administrative access.

    Sadly, buying an x64 processor doesn't get rid of the most frequent cause of
    inadvertent running-as-admin, also known as Layer 8 of the OSI stack. Yes,
    while your processor may have doubled in bits, the person running it is still
    the same two-bit hack he's always been, and will gladly give up his
    administrator password in return for a chance at a glimpse of the dancing
    pigs.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
     
    Alun Jones, Mar 16, 2006
    #9
  10. Adahn

    Howard Guest

    http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx

     
    Howard, Mar 17, 2006
    #10
  11. Adahn

    Adahn Guest

    while your processor may have doubled in bits, the person running it is
    LOL?!??
     
    Adahn, Mar 17, 2006
    #11
  12. Adahn

    Alun Jones Guest

    Wonderful. How about we all post a random link to some page at Microsoft -
    or are you suggesting that this page either supports or debunks my
    statements? If that's what you intended, perhaps you can give some
    explanation?

    Alun.
    ~~~~

     
    Alun Jones, Mar 17, 2006
    #12
  13. Adahn

    Howard Guest

    Ok. I should have been more careful not to use that word. I agree no system
    is 100% secure.
    From what I understand most rootkits are patches to the kernel. By disabling
    that feature in x64 operating systems makes them more secure and less
    vulnerable to existing malwares.



    Just curious, how are quantum computers different? They are still designed
    by humans and prone to have mistakes.



    Howard



     
    Howard, Mar 17, 2006
    #13
  14. Adahn

    Adahn Guest

    Just curious, how are quantum computers different? They are still designed
    and they tend to come up with "42" as the answer to most stuff, for some
    strange reason
     
    Adahn, Mar 18, 2006
    #14
  15. But, they come up with the answer even when they're not turned on... (sorry,
    I can't locate the link, but it's *not* a joke)
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Adahn" <administrator@localhost> a écrit dans le message de %...
    |> Just curious, how are quantum computers different? They are still
    designed
    | > by humans and prone to have mistakes.
    |
    | and they tend to come up with "42" as the answer to most stuff, for some
    | strange reason
    |
     
    Pierre Szwarc, Mar 18, 2006
    #15
  16. LOL - it's because in the book "The Hitchikers Guide to the Universe"...
    long story short, these guys on a seperate planet wanted to know "the answer
    to life, the universe and everything". However, the computer took a few
    million years to work it out...

    "You're not going to like it... there wasn't much to go on, but the answer
    I've come up with... is 42."

    Also to prove the point, Google has this also:
    http://www.google.co.uk/search?hl=en&q=the+answer+to+life,+the+universe+and+everything&meta=

    --
    Zack Whittaker
    » ZackNET Enterprises: www.zacknet.co.uk
    » MSBlog on ResDev: www.msblog.org
    » Vista Knowledge Base: www.vistabase.co.uk
    » This mailing is provided "as is" with no warranties, and confers no
    rights.
    All opinions expressed are those of myself unless stated so, and not of my
    employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!


    --- Original message follows ---
     
    Zack Whittaker \(R2 Mentor\), Mar 18, 2006
    #16
  17. Thanks for all the fish, but I did spot the reference <g> However, the fact
    that an Italian team did manage to get results out of a quantum computer
    that wasn't turned on remains... I even remember the remark from one of the
    researchers, "you get fewer mistakes from a computer that's not running"
    <lol>
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Zack Whittaker (R2 Mentor)" <> a écrit dans le message
    de news: ...
    | LOL - it's because in the book "The Hitchikers Guide to the Universe"...
    | long story short, these guys on a seperate planet wanted to know "the
    answer
    | to life, the universe and everything". However, the computer took a few
    | million years to work it out...
    |
    | "You're not going to like it... there wasn't much to go on, but the answer
    | I've come up with... is 42."
    |
    | Also to prove the point, Google has this also:
    |
    http://www.google.co.uk/search?hl=en&q=the+answer+to+life,+the+universe+and+everything&meta=
    |
     
    Pierre Szwarc, Mar 19, 2006
    #17
  18. Adahn

    Adahn Guest

    Good.. first invisible processes now undead computers

    just adopt some stylized pentagram in place of the Windows Flag and we can
    have the sequel to Fear.com
     
    Adahn, Mar 19, 2006
    #18
  19. Adahn

    Adahn Guest

    Good.. first invisible processes now undead computers

    just adopt some stylized pentagram in place of the Windows Flag and we can
    have the sequel to Fear.com
     
    Adahn, Mar 19, 2006
    #19
  20. Adahn

    Adahn Guest

    Good.. first invisible processes now undead computers

    just adopt some stylized pentagram in place of the Windows Flag and we can
    have the sequel to Fear.com
     
    Adahn, Mar 19, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.