[0.2.x] fixed : phidecheck.py script

git-svn-id: https://pykd.svn.codeplex.com/svn@81602 9b283d60-5439-405e-af05-b73fd8c4d996

snippets/phidecheck.py

@@ -13,19 +13,19 @@ if __name__ == "__main__":
     quit(0)
 
   # build list from PsActiveProcessHead
-  pActiveProcessList = getOffset("nt", "PsActiveProcessHead")
+  pActiveProcessList = getOffset("nt!PsActiveProcessHead")
-  lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt", "_EPROCESS", "ActiveProcessLinks")
+  lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt!_EPROCESS", "ActiveProcessLinks")
   lstActiveProcesses = [process.getAddress() for process in lstTypedActiveProcesses]
   
   # build list from PspCidTable
-  pCidTable = ptrPtr(getOffset("nt", "PspCidTable"))
+  pCidTable = ptrPtr(getOffset("nt!PspCidTable"))
-  pProcessType = ptrPtr(getOffset("nt", "PsProcessType"))
+  pProcessType = ptrPtr(getOffset("nt!PsProcessType"))
   lstProcessTable = ntobj.getListByHandleTable(pCidTable, pProcessType, False)
 
   # compare lists and print result
   founded = 0
   for processFromTable in lstProcessTable:
-    if (0 == lstActiveProcesses.count(processFromTable)):
+    if (0 == lstActiveProcesses.count( addr64(processFromTable[0]) )):
-      dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable)
+      dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable[0] )
       founded += 1
   dprintln("checked %u processes" % len(lstProcessTable) + (", %u hidden" % founded if (0 != founded) else ", hidden not found"))