Fundamentally, a running program appears in memory as a process. So how to list all processes in memory is the crucial step to analyze what programs are running. Fortunately, although process management is often out of the job of ordinary users, Windows still offer a powerful tool:tastmgr.exe plus several groups of functions to implement it. To help you uncover spyware with programming, we will research the methods about enumerating active processes, and compare these ways.
Programmers usually are familiar with the process, whereas ordinary users might not know it. However, to view and even to manage process with codes is still out of experience for many developers who write regular applications.
In the world of spyware, the situation is changed dramatically. Both spyware developers and anti-spyware developers must know how to view and even manage process in their codes. Rigorously speaking, the first requirement comes from anti-spyware. Because process, the number of which usually is only several dozens, is easier to analyze than all other system objects, such as file and registry entry, detectors which do anti-spyware professionally often put their focus on process. A certain fact is that a process is corresponding to a file. So, if detectors suspect a process, it is easy for them to get the file that causes the suspected process. By this clue, the rest analyses might disclose the secret of spyware quickly. To avoid being caught from the process list, developers of spyware have to research how to prevent viewing and how to repair, in case some components are killed. For this reason, spyware also need to view and manage processes. Otherwise, it is impossible for spyware to monitor and maintain itself intelligently.
Microsoft did not offer the interface to manage process for developers at the beginning. Nowadays, we can use two groups of Win32 API functions that came from Windows 98 and Windows NT respectively. The developers of Windows 98 designed the ToolHelp32 API that was appended into Windows 2K/XP, whereas the developers of Windows NT used Process Status Helper (PSAPI) library to implement the same functionalities.
Despite that PSAPI is also released in later versions of Windows, its application seems narrower than ToolHelp32. Especially, it cannot be called in Windows 98/ME so that developers are not willing to use it when they cannot decide or control what operating system is installed in user machines. As far as spyware, especially which will run in a large number of computers, developers must meet with various platforms. Therefore, ToolHelp32 API is more widely used for spyware because it has numerous, random and uncertain users.
In addition to ToolHelp32 and PSAPI, there are several other ways. For example, the Performance Data Helper functions that are included in PDH.DLL utilize the data in the registry to enumerate the process. Besides, now that we know the real data about the running process is kept in the registry, it is also feasible to query currently running processes from the registry directly.
Moreover, an undocumented function NTQuerySystemInformation can enumerate processes too. By its name, you can guess out that it does not on Windows 98/ME. Definitely, we never think it is a good idea to employ an undocumented function when a documented function with the same functionality is available. We mention it here not because we encourage using it, but because its corresponding kernel function ZwQuerySystemInformation is the key to hide processes from all tools like taskmgr.exe
Simply stated, although Win32 API offers several methods to enumerate currently running processes, unfortunately, none of them works on every Win32 platform. Up to now, ToolHelp32 API seems available in widest platforms. Except Windows NT, it can run on almost all current systems of Windows. Because there are only a few client machines to run on Windows NT, so ToolHelp32 API is the most popular option for spyware.