From e5211259031d175d8e7e2f053058ed1dd24f7ce5 Mon Sep 17 00:00:00 2001 From: "SND\\kernelnet_cp" Date: Mon, 3 Dec 2012 06:28:25 +0000 Subject: [PATCH] [0.2.x] fixed : phidecheck.py script git-svn-id: https://pykd.svn.codeplex.com/svn@81602 9b283d60-5439-405e-af05-b73fd8c4d996 --- snippets/phidecheck.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/snippets/phidecheck.py b/snippets/phidecheck.py index e03522e..8751eba 100644 --- a/snippets/phidecheck.py +++ b/snippets/phidecheck.py @@ -13,19 +13,19 @@ if __name__ == "__main__": quit(0) # build list from PsActiveProcessHead - pActiveProcessList = getOffset("nt", "PsActiveProcessHead") - lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt", "_EPROCESS", "ActiveProcessLinks") + pActiveProcessList = getOffset("nt!PsActiveProcessHead") + lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt!_EPROCESS", "ActiveProcessLinks") lstActiveProcesses = [process.getAddress() for process in lstTypedActiveProcesses] - + # build list from PspCidTable - pCidTable = ptrPtr(getOffset("nt", "PspCidTable")) - pProcessType = ptrPtr(getOffset("nt", "PsProcessType")) + pCidTable = ptrPtr(getOffset("nt!PspCidTable")) + pProcessType = ptrPtr(getOffset("nt!PsProcessType")) lstProcessTable = ntobj.getListByHandleTable(pCidTable, pProcessType, False) # compare lists and print result founded = 0 for processFromTable in lstProcessTable: - if (0 == lstActiveProcesses.count(processFromTable)): - dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable) + if (0 == lstActiveProcesses.count( addr64(processFromTable[0]) )): + dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable[0] ) founded += 1 dprintln("checked %u processes" % len(lstProcessTable) + (", %u hidden" % founded if (0 != founded) else ", hidden not found"))