Jump to content

Help comparing PSActiveProcessList with Dispatch Queues

SXGuy

By SXGuy,
in AutoIt General Help and Support

 Share

Recommended Posts

SXGuy Seeker

SXGuy

Posted
Posted

I need some help with identifying hidden processes, i want to search the dispatch queues for a process name i supply to look for.

The app i wish to get the pid of uses a method to hide its processes by unlinking EPROCESS objects from the PsActiveProcessList

The application also hooks a few api's, as well as CreateToolHelp32Snapshot.

So i cant just scan the process list as it wont be there, the only way to do it, its check the dispatch queue.

By comparing the active process list with the dispatch queues, it is possible to identify discrepancies. A process which appears in the dispatch queue but not in the active process list is assumed to be a hidden, so could i perhaps compare the two, and bring back a pid result based on the process name i supply it to look for?

If so, how would i start?

Link to comment
Share on other sites
/dev/null Universalist

/dev/null

Posted
Posted

I need some help with identifying hidden processes, i want to search the dispatch queues for a process name i supply to look for.

The app i wish to get the pid of uses a method to hide its processes by unlinking EPROCESS objects from the PsActiveProcessList

The application also hooks a few api's, as well as CreateToolHelp32Snapshot.

So i cant just scan the process list as it wont be there, the only way to do it, its check the dispatch queue.

By comparing the active process list with the dispatch queues, it is possible to identify discrepancies. A process which appears in the dispatch queue but not in the active process list is assumed to be a hidden, so could i perhaps compare the two, and bring back a pid result based on the process name i supply it to look for?

If so, how would i start?

have a look at the source code of klister: http://www.invisiblethings.org/tools/klister-0.4.zip. Klister tries to detect windows root kits that do exactly what you described.

Cheers

Kurt

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Link to comment
Share on other sites
SXGuy Seeker

SXGuy

Posted
  • Author
Posted

Thanx for replying, i actually checked that out a little while ago, it looks good, another is a proof of concept work called KProcCheck

I just wondered if there was any specific way in Autoit, to detect processes using a DKOM rootkit basically, but i guess not.

Thanks for your help anyway.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...