# 
# Search hidden processes: 
# compare content of PspCidTable table and PsActiveProcessHead list
# 

from pykd import *
import ntobj

if __name__ == "__main__":

  if not isWindbgExt():
    print "Script is launch out of WinDBG"
    quit(0)

  # build list from PsActiveProcessHead
  pActiveProcessList = getOffset("nt!PsActiveProcessHead")
  lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt!_EPROCESS", "ActiveProcessLinks")
  lstActiveProcesses = [process.getAddress() for process in lstTypedActiveProcesses]
  
  # build list from PspCidTable
  pCidTable = ptrPtr(getOffset("nt!PspCidTable"))
  pProcessType = ptrPtr(getOffset("nt!PsProcessType"))
  lstProcessTable = ntobj.getListByHandleTable(pCidTable, pProcessType, False)

  # compare lists and print result
  founded = 0
  for processFromTable in lstProcessTable:
    if (0 == lstActiveProcesses.count( addr64(processFromTable[0]) )):
      dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable[0] )
      founded += 1
  dprintln("checked %u processes" % len(lstProcessTable) + (", %u hidden" % founded if (0 != founded) else ", hidden not found"))