Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate

Hyde your process from the Task Manager


  • This topic is locked This topic is locked
60 replies to this topic
  • Guests
  • Last active:
  • Joined: --
Many times people ask how to hide their exe from the Windows task manager. Here is the answer.

This dll is loaded into other processes (not only task manager) using a technique known as Trampoline. If the hook succeeds, the process won't be able to see your process. The dll hooks NtQuerySystemInformation, Process32First, Process32FirstW, Process32Next and Process32NextW.

It's not 100% effective - some processes can find your exe. Console and .NET programs are 2 examples, and there may be others.

But if simply hiding from the task manager is what you need, this may be the way to go.

Be sure to use the correct dll for the operating system: hyde.dll for x86 and hyde64.dll for x64. AHK_L Unicode is required for the example script.

### Example script ###
/*
		hyde.dll hides a process from the task manager on Windows 2000 - Windows 7 
		x86 & x64 bit OSes
		
		Your process can inject it into other processes however you like. The example uses
		SetWindowsHookEx with a CBT hook (the dll exports a CBTProc) to inject it into all
		running processes.
		
		Press Esc to exit the script.
		
		Note: if you don't compile the script, AutoHotKey.exe gets hidden. Otherwise
		the name of the .exe gets hidden.
*/

#NoEnv
SetWorkingDir %A_ScriptDir%

OnExit, ExitSub

hMod := DllCall("LoadLibrary", Str, "hyde.dll", Ptr) ;for x86
;hMod := DllCall("LoadLibrary", Str, "hyde64.dll", Ptr) ;for x64
if (hMod)
{
	hHook := DllCall("SetWindowsHookEx", Int, 5, Ptr, DllCall("GetProcAddress", Ptr, hMod, AStr, "CBProc", ptr), Ptr, hMod, Ptr, 0, Ptr)
	if (!hHook)
	{
		MsgBox, SetWindowsHookEx failed
		ExitApp
	}
}
else
{
	MsgBox, LoadLibrary failed
	ExitApp
}

MsgBox, Process hidden
Return

Esc::ExitApp

ExitSub:
	if (hHook)
		DllCall("UnhookWindowsHookEx", Ptr, hHook)
	if (hMod)
		DllCall("FreeLibrary", Ptr, hMod)
ExitApp

hyde.dll
hyde64.dll

Zip package - both dlls and example script

JSLover
  • Members
  • 920 posts
  • Last active: Nov 02 2012 09:54 PM
  • Joined: 20 Dec 2004
Are you OK with posting the source to the DLLs?
Useful forum links: New content since: Last visitPast weekPast 2 weeks (links will show YOUR posts, not mine)

OMFG, the AutoHotkey forum is IP.board now (yuck!)...I may not be able to continue coming here (& I love AutoHotkey)...I liked phpBB, but not this...ugh...

Note...
I may not reply to any topics (specifically ones I was previously involved in), mostly cuz I can't find the ones I replied to, to continue helping, but also just cuz I can't stand the new forum...phpBB was soo perfect. This is 100% the opposite of "perfect".

I also semi-plan to start my own, phpBB-based AutoHotkey forum (or take over the old one, if he'll let me)
PM me if you're interested in a new phpBB-based forum (I need to know if anyone would use it)
How (or why) did they create the Neil Armstrong memorial site (neilarmstronginfo.com) BEFORE he died?

fragman
  • Members
  • 1591 posts
  • Last active: Nov 12 2012 08:51 PM
  • Joined: 13 Oct 2009
I don't see any legitimate reason for doing this. Can you name any?

ModeratorPleaseLook
  • Guests
  • Last active:
  • Joined: --
Looks dubious....

  • Guests
  • Last active:
  • Joined: --

...Can you name any?


I can. Let's say I have a laptop. And let's say that I have something running on my laptop that I wouldn't really want anyone shutting down in the case that it was stolen or whatever. This could help a bit.

There are many reason why someone would want to hide their program... some are good and some are not so good, but it's that way with anything.

And this beats closing the Task Manager when it gets opened which is what people do at the moment :roll:

  • Guests
  • Last active:
  • Joined: --

Are you OK with posting the source to the DLLs?

Yes, but under the MIT License as required by the mhook library license. :)

trismarck
  • Members
  • 390 posts
  • Last active: Nov 25 2015 12:35 PM
  • Joined: 02 Dec 2010
This looks kind of scary.

  • Guests
  • Last active:
  • Joined: --
Cool :D

Klark92
  • Members
  • 870 posts
  • Last active: Dec 29 2015 09:47 PM
  • Joined: 19 Feb 2012
dude where did you get this dll ? :)

I CAN PROTECT YOUR SCRIPT (ANTI-DECOMPILER by Klark92) (AHK_L*)(PM)
Klark92's Script2Exe Wizard
AHK_L / AHK COMPILED EXE / BIN ICON CHANGER


Uberi
  • Moderators
  • 1119 posts
  • Last active: May 02 2015 06:05 PM
  • Joined: 23 Aug 2010
Very impressive, but with great potential for abuse...

  • Guests
  • Last active:
  • Joined: --

dude where did you get this dll ? :)

The MS C++ compiler seemed to spit it out when I typed in the code and clicked compile ;)

Very impressive, but with great potential for abuse...

Thanks. But the potential for abuse is kind of negated by its limitations. Any malware created with this would be easily detected and removed with standard malware tools.

The only thing creating malware with this will do is get it flagged as malware itself :(

Klark92
  • Members
  • 870 posts
  • Last active: Dec 29 2015 09:47 PM
  • Joined: 19 Feb 2012
I did not try it while anti-virus running .. you say it's dedecting easily by anti-virus ?

I CAN PROTECT YOUR SCRIPT (ANTI-DECOMPILER by Klark92) (AHK_L*)(PM)
Klark92's Script2Exe Wizard
AHK_L / AHK COMPILED EXE / BIN ICON CHANGER


Klark92
  • Members
  • 870 posts
  • Last active: Dec 29 2015 09:47 PM
  • Joined: 19 Feb 2012
by the way .. I translated it to Autohotkey BASIC version .. I tried it. it works...

/*
      hyde.dll hides a process from the task manager on Windows 2000 - Windows 7 
      x86 & x64 bit OSes
      
      Your process can inject it into other processes however you like. The example uses
      SetWindowsHookEx with a CBT hook (the dll exports a CBTProc) to inject it into all
      running processes.
      
      Press Esc to exit the script.
      
      Note: if you don't compile the script, AutoHotKey.exe gets hidden. Otherwise
      the name of the .exe gets hidden.
*/

#NoEnv
SetWorkingDir %A_ScriptDir%

OnExit, ExitSub

hMod := DllCall("LoadLibrary", Str, "hyde.dll", uint)

hmodule2 := DllCall("GetProcAddress", uint, hMod, Str, "CBProc", uint)

hHook := DllCall("SetWindowsHookEx", Int, 5, uint, hmodule2, uint, hMod, uint, 0, uint)

MsgBox, Process hidden
Return

Esc::ExitApp

ExitSub:
   if (hHook)
      DllCall("UnhookWindowsHookEx", uint, hHook)
   if (hMod)
      DllCall("FreeLibrary", uint, hMod)
ExitApp

I CAN PROTECT YOUR SCRIPT (ANTI-DECOMPILER by Klark92) (AHK_L*)(PM)
Klark92's Script2Exe Wizard
AHK_L / AHK COMPILED EXE / BIN ICON CHANGER


Ohh
  • Guests
  • Last active:
  • Joined: --

by the way .. I translated it to Autohotkey BASIC version ..


Basic? lol
No one uses that anymore dude

Delusion
  • Members
  • 272 posts
  • Last active: Jul 13 2014 09:04 PM
  • Joined: 16 Jul 2008

by the way .. I translated it to Autohotkey BASIC version ..


Basic? lol
No one uses that anymore dude


whats so funny?
some people do
QuickSubs | Popcorn Movie Catalog
All my scripts are just in AutoHotkey v1.0.48.05