Hiding FAHCore from process list

t1rhino

So on all of my folding machines it is installed as a service using srvany. No problems at all.

Now, the question is...



Does anyone know how to hide FAHCore from the process list?
I know how to hide an application from the application list, but the process list is another thing...
Renaming the core would require me to hack the console which I am not too fond of. I am searching for a way to do it through programming. VB, C++, whatever...

t1rhino

Here's a screenie just incase you are wondering what the hell I am talking about...

seversphere

if you figure out how to get it renamed you'll be the first to do so with the core.

hypermood

This will take some work to do, and someone may have already done it. After a process is created, the NT/2K/XP kernel maintains a list of 'EPROCESS' blocks in system space (available only to the kernel) to account for running processes. The image filename is stored in this block. You will not be able to modify this information from user mode after a process is created/executing.

To do this you will need to be running in kernel mode to get access to the 'PsActiveProcessHead' system variable. This is the head of the linked list of running processes. You would also need to use the kernel 'PsSetLoadImageNotifyRoutine' function to have the OS notify you when the appropriate image is loaded. In short, you need the NTDDK and a custom device driver to accomplish this. That should get you started if you wish to undertake this endeavor

t1rhino

Well I renamed the core to CCWCore_78.exe and was able to get it working. That was pretty easy. I just wonder what happens when the core gets outdated and downloads a new core???

t1rhino

Holy crap Batman!!! Check out my folding log...

# Windows Console Edition #####################################################
###############################################################################

Folding@home Client Version 3.25

http://foldingathome.stanford.edu
email:help@foldingathome.stanford.edu

###############################################################################
###############################################################################



[16:55:12] - Ask before connecting: No
[16:55:12] - User name: t1rhino (Team 93)
[16:55:12] - User ID = n/a
[16:55:12] - Machine ID: 1
[16:55:12]
[16:55:13] Loaded queue successfully.
[16:55:13] + Benchmarking ...
[16:55:16]
[16:55:16] + Processing work unit
[16:55:16] Core required: CCWCore_78.exe
[16:55:16] Core not found.
[16:55:16] - Core is not present or corrupted.
[16:55:16] - Attempting to download new core...
[16:55:16] + Downloading new core: CCWCore_78.exe
[16:55:18] + 10240 bytes downloaded
[16:55:19] + 20480 bytes downloaded
[16:55:19] + 30720 bytes downloaded
[16:55:19] + 40960 bytes downloaded
[16:55:19] + 51200 bytes downloaded
[16:55:19] + 61440 bytes downloaded
[16:55:20] + 71680 bytes downloaded
[16:55:20] + 81920 bytes downloaded
[16:55:20] + 92160 bytes downloaded
[16:55:20] + 102400 bytes downloaded
[16:55:20] + 112640 bytes downloaded
[16:55:21] + 122880 bytes downloaded
[16:55:21] + 133120 bytes downloaded
[16:55:21] + 143360 bytes downloaded
[16:55:21] + 153600 bytes downloaded
[16:55:21] + 163840 bytes downloaded
[16:55:21] + 174080 bytes downloaded
[16:55:22] + 184320 bytes downloaded
[16:55:22] + 194560 bytes downloaded
[16:55:22] + 204800 bytes downloaded
[16:55:22] + 215040 bytes downloaded
[16:55:22] + 225280 bytes downloaded
[16:55:23] + 235520 bytes downloaded
[16:55:23] + 245760 bytes downloaded
[16:55:23] + 256000 bytes downloaded
[16:55:23] + 266240 bytes downloaded
[16:55:24] + 276480 bytes downloaded
[16:55:24] + 286720 bytes downloaded
[16:55:24] + 296960 bytes downloaded
[16:55:25] + 307200 bytes downloaded
[16:55:25] + 317440 bytes downloaded
[16:55:25] + 327680 bytes downloaded
[16:55:25] + 337920 bytes downloaded
[16:55:26] + 348160 bytes downloaded
[16:55:26] + 358400 bytes downloaded
[16:55:26] + 368640 bytes downloaded
[16:55:26] + 378880 bytes downloaded
[16:55:27] + 389120 bytes downloaded
[16:55:27] + 399360 bytes downloaded
[16:55:27] + 409600 bytes downloaded
[16:55:27] + 419840 bytes downloaded
[16:55:28] + 430080 bytes downloaded
[16:55:28] + 440320 bytes downloaded
[16:55:28] + 450560 bytes downloaded
[16:55:29] + 460800 bytes downloaded
[16:55:29] + 471040 bytes downloaded
[16:55:29] + 481280 bytes downloaded
[16:55:29] + 491520 bytes downloaded
[16:55:29] + 501760 bytes downloaded
[16:55:30] + 512000 bytes downloaded
[16:55:30] + 522240 bytes downloaded
[16:55:30] + 532480 bytes downloaded
[16:55:30] + 542720 bytes downloaded
[16:55:30] + 552960 bytes downloaded
[16:55:31] + 563200 bytes downloaded
[16:55:31] + 573440 bytes downloaded
[16:55:31] + 583680 bytes downloaded
[16:55:31] + 593920 bytes downloaded
[16:55:31] + 604055 bytes downloaded
[16:55:31] Verifying core Core_78.fah...
[16:55:31] Signature is VALID
[16:55:31] Created: Wednesday April 10, 2002 00:01:22 UTC
[16:55:31] Signed: Thursday April 3, 2003 00:01:22 UTC
[16:55:31]
[16:55:31] Trying to unzip core CCWCore_78.exe
[16:55:32] Decompressed CCWCore_78.exe (1728512 bytes) successfully
[16:55:32] + Core successfully engaged
[16:55:37]
[16:55:38] + Processing work unit
[16:55:38] Core required: CCWCore_78.exe
[16:55:38] Core found.
[16:55:38] Working on Unit 03 [November 6 16:55:38]
[16:55:38] + Working ...
[16:55:38]
[16:55:38] *

---

*
[16:55:38] Folding@home Gromacs Core
[16:55:38] Version 1.53 (October 2, 2003)
[16:55:38]
[16:55:38] Preparing to commence simulation
[16:55:38] - Looking at optimizations...
[16:55:38] - Files status OK
[16:55:39] - Expanded 195245 -> 951797 (decompressed 487.4 percent)
[16:55:39]
[16:55:39] Project: 358 (Run 0, Clone 67, Gen 5)
[16:55:39]
[16:55:39] Assembly optimizations on if available.
[16:55:39] Entering M.D.

Wow... That's friggin amazing... My console client even downloads the new core to whatever filename I like.
This could be dangerous!!!

mmonnin

Hmm I didnt think it would do that. I would think the client would look for a certain name depending on what WU you have.

t1rhino

I didn't think it would work either.

seversphere

well can you completely rename it or just have to leave the core_78 part in?

Straight_Man

Given that the names parse left to right, he should be able to rename the client core name list AND the individual file names for the cores to match and have synchrony. Essentially, Gromacs uses Core_78 and Tinker uses Core_65 right now. Client decides what core to get and WU analysis by client decides base TYPE of WU. So, change nemes used by Client to call cores and the file names of the Cores themselves. That make more sense???

BTW, in Linux I can name my CLIENT anything I like also. Thus, the CONSOLE should be renamable also. So long as the thing is not ported to another computer, Folding does nto care what the local box calls the console executable file and ignores that TOTALLY. It uses the Machine ID+UID Hash to ID what machine of what user account gets credited. My Linux client is named FAH324_LB.exe and runs fine as I got tired ot mistyping the much longer name it came with. So, yes, you should be able to rename BOTH if you reset the service establisher program you are using before you reboot to get registry updated. You can also driectly tell XP and 2000 to run a client as a service, and I do this to save the RAM implications of using middleware to do what can be done directly. XP does not care what the SERVICE is named, so long as you do one of two things:

Either you disestablish the client as a service, rename, then reestablish using new name, reboot, or;

Either you disestablish the client as a service, rename, reboot then reestablish using new name, reboot.

First is faster by one reboot.

Yes, BOTH core and client are renamable.

John.

mmonnin

The reason why I thought the core could not be rename is because the client, no matter whats its called, calls for a certain file depending on the WU it is processing. If its not there it finds a new one. I have renamed it and it has downloaded another core in the same folder. It did this cause it did not find the file it needed.

t1rhino

To change the core name you need to edit the folding client which is a violation of the license.

hypermood

I got this to work guys (and gals). I wrote a device driver that will rename the processes when they are added to the kernels active process list on the fly.

Registry values provide complete control over the name of the file as it will appear in the TaskMgr process. Check out the screenie below:

t1rhino

Nice work hypermood! What language?

hypermood

It's written in C.

Enisada

Anyway I could get that from you hypermood??

hypermood

Instructions are included in the zip attachment. NOTE - This works under NT4 and 2K NOT XP.

Enisada

Thank you....

EMT

That is reeally cool. I didn't know we had anyone who knows as much system programming as you hypermood. Can we see the source?

hypermood

There is actually a companion to procmap called psterm so I included the source to that as well. You'll need the NTDDK to build procmap.

Enisada

Does this run on Windows XP? Does this show up as a service? It doesn't seem to be working for me...

hypermood

It should run under Windows XP, but I don't have XP. It shows up as a device driver. Go to 'Device Manager->View->Show Hidden Devices' and then expand 'Non-Plug and Play Drivers' and make sure 'Procmap' is listed. Locate the properties and verify that the driver is started.

Enisada

Everything is good under the Device Manager. I've attached the image.

hypermood

I thought that I had tested this under XP way back. Anyway, I'll build a debug version of the driver later tonight and PM you. Sound OK?

Enisada

Your too good to me, that would be great. Thanks

hypermood

I did some preliminary digging. XP displays the image name from the actual file and is not limited to a 15 character copy of the name as is NT4 and 2K. I'll need to track down where the name for the real file is stored in the object table to fix this for XP. Work's got me pretty busy right now so don't hold your breath. Although, since I posted the source this should give an aspiring windows kernel hacker a good head start

Enisada

No problem, whenever you get around to it.

Medlock

Can this actually hide it from the process list or just rename it? Or maybe setting a certain registry value will hide it? I'm also interested, but running XP as well.

hypermood

Just renames. Hiding involves hooking certain kernel routines, and I'm not currently doing that.

Medlock

Well, renaming would certainly make things easier. I'm running two consoles here.

Enisada

Any progress on a Window XP system??