http://www.perlmonks.org?node_id=1016764


in reply to win32-process-hide infected with mal/packer?

Is this ability, that is exposed by the OS to any language that can dynamically load dlls, and is subject to all the usual fine grained permissions controls the OS offers (ie. You can only hide your own processes; or those you have the explicit rights to access.), really so different from the following which is available on many (most?) variants of *nix, and is documented in the perl docs?

$PROGRAM_NAME $0

Contains the name of the program being executed.

On some (read: not all) operating systems assigning to $0 modifies the argument area that the ps program sees. On some platforms you may have to use special ps options or a different ps to see the changes. Modifying the $0 is more useful as a way of indicating the current program state than it is for hiding the program you're running. (Mnemonic: same as sh and ksh.)


With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.

Replies are listed 'Best First'.
Re^2: win32-process-hide infected with mal/packer?
by Anonymous Monk on Feb 03, 2013 at 04:07 UTC

    really so different from the following which is available on many (most?) variants of *nix, and is documented in the perl docs?

    Yes it is, changing $0 doesn't hide the process from ps -- hiding a process is purely rootkit territory

Re^2: win32-process-hide infected with mal/packer?
by LanX (Saint) on Feb 02, 2013 at 23:58 UTC
    Sigh, I will certainly not participate in an OS flame!

    I just reported what I saw and asked if anyone more proficient with Win can have a look into it.

    Thats it.

    Cheers Rolf

      I will certainly not participate in an OS flame!

      If my asking a question and quoting the Perl POD constitutes "an OS flame" in your eyes, there's no more to be said.


      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.