PDA

View Full Version : Invisible processes (from handles) / Copy SBI to Clipboard



KlausK
2008-05-08, 17:11
"The list on the left contains" some PIDs from:
Invisible processes (from handles)
[Right Click] on a PID offers:
Copy SBI to Clipboard
but the only thing it fetches is:
File:"<$FILE_EXE>",""

PepiMK
2008-05-13, 13:52
Arg, not nice, but kind of logical, because for a hidden process, it's often difficult to impossible to determine it's filename.

Any suggestions on how to deal with hidden processes (question to everyone)?

As a start, I've added this feature request (http://forums.spybot.info/project.php?issueid=239) which would allow to get hold of the file (well, a dumped copy, but should be quite close to the original) at least.

(update: if the detail window already shows, you can probably "guess" the filename by looking at the name of the first loaded module on the Modules tab)

KlausK
2008-05-15, 22:16
... (update: if the detail window already shows, you can probably "guess" the filename by looking at the name of the first loaded module on the Modules tab) ...

Ugh, nice tip.

RootAlyzer_0.2.0.32 finds two "Invisible procesess (from Handles)"
DoubleClick shows no module e.g. nothing. OK, let it be running, start newest RootAlyzer in addition.
RootAlyzer_0.2.1.35 finds same procesess and a third one.
DoubleClick works (:bigthumb: for this feature)
First module all three times is "RootAlyzer.exe", the filename of RootAlyzer_0.2.1.35. (Yes, my "RootAlyzer.exe" have different filenames, reflecting their version etc., so I can distingush between.)

May be the "third" process is RootAlyzer_0.2.1.35,
may be the "second" process is RootAlyzer_0.2.0.32,
because they change every new runs of RootAlyzers.
But what is the "first" process ? It is always the same process ID, even if RootAlyzer finished and is started again. No other RootAlyzer is running (if Task-Manager doesn't lie). And the first module of this process is all times the filename of actual started RootAlyzer (file renaming works fine).
The list of modules seemed to be identicallay to the second an third processes, started and died with every running RootAlyzer.

BTW: I tried the buttons in RootAlyzer_0.2.1.35 after DoubleClick a process ID:
[Terminate] has no effekt.
[Save as file] mentioned: Error: Could not dump the memory contents of process 0 to a file.
(And yes, I tried all three process IDs I fetch.)

(BTW: if you need details, send email in german, my mother tongue)