Hello,
I need to create an application which will be reading and writing to files(C++/MFC). but I need the process not to appear in process monitor (which comes with SysInternals).
From the reactions of others, I now confirm that this seems "illegal". but that is the request of the client I'm dealing with. so, I guess I just have to satisfy the client's request.
One of the uses of Process Monitor is to find and remove malicious software that tries to hide from the user:
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
I am not saying that what you want to do is impossible, rather that you are trying to do something that feels a bit dishonest.
That being said I would like you to consider the fact that you are trying to hide a process from a utility that was written to find anything and everything by folks that are a lot smarter than you and me.
I'll assume you're not planning to do anything malicious. If that's the case, it's important you don't hide your application from diagnostic tools. You can't guarantee your application is bug free. Even if it is, you can't predict its interaction with other applications. Because of that, you should leave it visible so other technical people can troubleshoot if something goes wrong.
Regarding your comment, "so, I guess I just have to satisfy the client's request" - not if it's illegal or technically dangerous for them. You need to protect yourself and them from bad judgment.
PM reads data at a very low level so to hide from it you have to actually take over certain NT kernel structures and methods to report different information to PM than what Windows itself sees. Doing this is platform and version dependent ( ie. Windows XP SP1 is different than Windows XP SP2 is different than Vista x64, etc.). It's nearly impossible to do correctly without creating an incredible number of system instability issues.
While it's not strictly illegal, every company that has done it and been discovered (which you will) has enjoyed lots of backlash and criticism from users and security professionals. Again while not explicitly illegal, the kinds of changes required can open severe security holes on the end users' machines. Should they have major system crashes or be exposed to hackers/viruses you may be legally liable for the damage.
Possible semi-legitimate (though I wouldn't want my name associated with them) applications you would want to keep people from seeing are DRM enforcers and nanny-cam style monitors for kids and errant spouses.
That said, I don't think your client really wants you to subvert such an important system. They likely want something less rootkit-like but they picked up the vocabulary watching "24" and have failed to adequately express what it is they want done.
My advice would be to go back to them for clarification. If they do indeed want something to be completely undetectable then you need to decide based on your own conscience whether to proceed or leave the client.