How To Identify Hidden Processes In Windows (Rootkits)

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, August 15, 2008

Follow me on Twitter as @mattiasgeniar

It’s one thing to detect evil processes running on a linux system, it’s quite another to detect them when they’re hidden from the system itself. A rootkit does just that. It runs one, or several, processes and hides them from the system so they become undetectable.

I’ve recently shared how to detect bad processes if they’re not hidden on a Linux system, but how do you go about discovering processes that are inherently hidden to you, on a windows device?

ProcL seems to be the solution to this particular problem. A nice guide is posted at ScanIT.net. Here’s a little excerpt of their article.

Hiding a process is particularly threatening because it represents some malicious code running on your system that you are completely unaware of. Process hiding has a significant effect. Many of the trojan, virus, spyware, rootkit writers use similar techniques to hide themselves and stay undetected as long as possible on target machines. Finding all the ways a rootkit might hide a process is just the first step in defending against the rootkits. Detecting hidden objects is a promising new area in rootkit detection. It is necessary to have protection against the hidden processes, if you want to stay secured. Many of the antivirus and antispyware manufacturing companies falling back as they are not able to come up with any solutions for hidden processes. There are only few tools which can detect hidden processes, but are you willing to pay them considerable amount of money?

It’s worth a try, it’ll scan your system for any kind of security leaks, by examining each kernel-object in detail (EPROCESS, ETHREADS, HANDLES, JOBS).

For more details, and a download link for the small tool, I’ll refer you to the ScanIT pages.

Other tools are available as well, such as DeepMonitor. And if you’re interested in a good read about Windows Security, with specific detail to Rootkits and Trojans (complete with screenshots & nice hints), there’s a not-to-miss article on WindowsSecurity.com: Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment.

Note: I have no experience whatsoever with ProcL or DeepMonitor, but the idea is cool and it sounds like it could be worth something. Please share any comments you might have, or any user experience.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.