[+] check for hidden processes: compare content of PspCidTable table and PsActiveProcessHead list

git-svn-id: https://pykd.svn.codeplex.com/svn@59104 9b283d60-5439-405e-af05-b73fd8c4d996

samples/phidecheck.py

@@ -0,0 +1,31 @@
+# 
+# Search hidden processes: 
+# compare content of PspCidTable table and PsActiveProcessHead list
+# 
+
+from pykd import *
+import ntobj
+
+if __name__ == "__main__":
+
+  if not isSessionStart():
+    print "Script is launch out of WinDBG"
+    quit(0)
+
+  # build list from PsActiveProcessHead
+  pActiveProcessList = getOffset("nt", "PsActiveProcessHead")
+  lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt", "_EPROCESS", "ActiveProcessLinks")
+  lstActiveProcesses = [process.getAddress() for process in lstTypedActiveProcesses]
+
+  # build list from PspCidTable
+  pCidTable = ptrPtr(getOffset("nt", "PspCidTable"))
+  pProcessType = ptrPtr(getOffset("nt", "PsProcessType"))
+  lstProcessTable = ntobj.getListByHandleTable(pCidTable, pProcessType, False)
+
+  # compare lists and print result
+  founded = 0
+  for processFromTable in lstProcessTable:
+    if (0 == lstActiveProcesses.count(processFromTable)):
+      dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable)
+      founded += 1
+  dprintln("checked 0x%x processes" % len(lstProcessTable) + (", %u hidden" % founded if (0 != founded) else ", hidden not found"))