Think of it this way! Let me talk about popular science == 1. Task Manager displays Windows "processes". However, there may be many "threads" in a process, and these threads can do different things separately. For example, when you browse a website, one thread in iexplore.exe is responsible for connecting to the website and retrieving data, and the other thread is responsible for rendering and displaying the images you see. Virus Trojan can "add" a thread to your normal program to run malicious code, which is invisible in Task Manager. 2. Virus Trojan can also create a new process so that you can't see it. The principle is that when the task manager displays processes, it will send a request to the Windows kernel: "Please give me a list of currently running processes". If there is malicious code in the system kernel, you can intercept this request, modify the returned list, and filter out the processes that you don't want users to see. 3. Even if the process is displayed in the Task Manager, you may not see it. Do you know which svchost.exe is running normal service and which svchost.exe is running Trojan virus service? What does it mean for cmd.exe to appear in the process when you don't open the command prompt? Although it has Microsoft's digital signature, it is not necessarily performing normal operations. How to find out these hidden behind the scenes? 1. Check whether there are abnormal modules in the process-almost all ARK (anti-rootkit) software has this function. Modules without valid digital signatures are often abnormal. In some ARK software, these modules will be displayed in different colors. 2. Check whether the kernel has abnormal drivers-some Ark software has this function, and the identification method is the same as above. 3. Check whether there is an abnormal kernel hook-the method of "intercepting kernel requests" described above is a hook. Although normal programs may also set kernel hooks, there are very few (generally anti-virus software, firewalls, sand tables).