2010-12-23 19:13:09 +08:00
|
|
|
#
|
|
|
|
|
# Search hidden processes:
|
|
|
|
|
# compare content of PspCidTable table and PsActiveProcessHead list
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
from pykd import *
|
|
|
|
|
import ntobj
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
|
2011-04-15 00:01:29 +08:00
|
|
|
if not isWindbgExt():
|
2010-12-23 19:13:09 +08:00
|
|
|
print "Script is launch out of WinDBG"
|
|
|
|
|
quit(0)
|
|
|
|
|
|
|
|
|
|
# build list from PsActiveProcessHead
|
|
|
|
|
pActiveProcessList = getOffset("nt", "PsActiveProcessHead")
|
|
|
|
|
lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt", "_EPROCESS", "ActiveProcessLinks")
|
|
|
|
|
lstActiveProcesses = [process.getAddress() for process in lstTypedActiveProcesses]
|
|
|
|
|
|
|
|
|
|
# build list from PspCidTable
|
|
|
|
|
pCidTable = ptrPtr(getOffset("nt", "PspCidTable"))
|
|
|
|
|
pProcessType = ptrPtr(getOffset("nt", "PsProcessType"))
|
|
|
|
|
lstProcessTable = ntobj.getListByHandleTable(pCidTable, pProcessType, False)
|
|
|
|
|
|
|
|
|
|
# compare lists and print result
|
|
|
|
|
founded = 0
|
|
|
|
|
for processFromTable in lstProcessTable:
|
|
|
|
|
if (0 == lstActiveProcesses.count(processFromTable)):
|
|
|
|
|
dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable)
|
|
|
|
|
founded += 1
|
2010-12-23 20:01:46 +08:00
|
|
|
dprintln("checked %u processes" % len(lstProcessTable) + (", %u hidden" % founded if (0 != founded) else ", hidden not found"))
|
