Fundamentally, a running program appears in memory as a process. So how to list all processes in memory is the crucial step to analyze what programs are running. Fortunately, although process management is often out of the job of common users, Windows still offer a powerful tool:tastmgr.exe plus several groups of functions to implement it. To help you uncover spyware with programming, we will research the methods about enumerating active processes, and compare these ways.
Programmers usually are familiar with process whereas common users might not know it. However, to view and even to manage process with codes is still out of experience for many developers who write normal applications.
In the world of spyware, the situation is changed dramatically. Both spyware developers and anti-spyware developers must know how to view and even manage process in their codes. Rigorously speaking, the first requirement comes from anti-spyware. Because process, the number of which usually is only several dozens, is easier to analyze than all other system object, such as file and registry entry, detectors who do anti-spyware professionally often put their focus on process. A sure fact is that a process is definitely corresponding a file. So, if detectors suspect a process, it is easy for them to get the file that causes the suspected process. By this clue, the rest analyses might disclose secret of spyware quickly. To avoid being caught from process list, developers of spyware have to research how to prevent from viewing and how to repair in case some components are killed. For this reason, spyware also need to view and manage processes. Otherwise, it is impossible for spyware to monitor and maintain itself intelligently.
In fact, Microsoft did not offer the interface of management process to developers at beginning. So, nowadays we can use two groups of Win32 API function that came from Windows 98 and Windows NT respectively. The developers of Windows 98 designed the ToolHelp32 API that was appended into Windows 2K/XP, whereas the developers of Windows NT used Process Status Helper (PSAPI) library to implement the same functionalities.
Despite that PSAPI is also released in later versions of Windows, its application seems narrower than ToolHelp32. Specially, it cannot be called in Window 98/ME so that developers are not willing to use it when they cannot decide or control what operating system is installed in user machines. As far as spyware, especially which will run in a large number of computers, developers must meet with various platforms. Therefore, ToolHelp32 API is more widely used for spyware because it has numerous, random and uncertain users.
In addition to ToolHelp32 and PSAPI, there are several other ways. For example, the Performance Data Helper functions that are included in PDH.DLL utilize the data in registry to enumerate process. Besides, now that we know the real data about running process is kept in registry, it is also feasible to query currently running processes from registry directly.
Moreover, an undocumented function NTQuerySystemInformation can enumerate processes too. By its name, you can guess out that it does not on Windows 98/ME. Definitely, we never think it is a good idea to employ an undocumented function when a documented function with same functionality is available. We mention it here not because we encourage using it, but because its corresponding kernel function ZwQuerySystemInformation is the key to hide processes from all tools like taskmgr.exe
Simply stated, although Win32 API offers several methods to enumerate currently running processes, unfortunately, none of them works on every Win32 platform. Up to now, ToolHelp32 API seems available in widest platforms. Except Windows NT, it can run on almost all current systems of Windows. Because there are only a few of client machines to run on Windows NT, so ToolHelp32 API is the most popular option for spyware.