SXGuy Posted March 2, 2008 Share Posted March 2, 2008 I need some help with identifying hidden processes, i want to search the dispatch queues for a process name i supply to look for. The app i wish to get the pid of uses a method to hide its processes by unlinking EPROCESS objects from the PsActiveProcessList The application also hooks a few api's, as well as CreateToolHelp32Snapshot. So i cant just scan the process list as it wont be there, the only way to do it, its check the dispatch queue. By comparing the active process list with the dispatch queues, it is possible to identify discrepancies. A process which appears in the dispatch queue but not in the active process list is assumed to be a hidden, so could i perhaps compare the two, and bring back a pid result based on the process name i supply it to look for? If so, how would i start? Link to comment Share on other sites More sharing options...
/dev/null Posted March 2, 2008 Share Posted March 2, 2008 I need some help with identifying hidden processes, i want to search the dispatch queues for a process name i supply to look for.The app i wish to get the pid of uses a method to hide its processes by unlinking EPROCESS objects from the PsActiveProcessListThe application also hooks a few api's, as well as CreateToolHelp32Snapshot.So i cant just scan the process list as it wont be there, the only way to do it, its check the dispatch queue.By comparing the active process list with the dispatch queues, it is possible to identify discrepancies. A process which appears in the dispatch queue but not in the active process list is assumed to be a hidden, so could i perhaps compare the two, and bring back a pid result based on the process name i supply it to look for?If so, how would i start?have a look at the source code of klister: http://www.invisiblethings.org/tools/klister-0.4.zip. Klister tries to detect windows root kits that do exactly what you described.CheersKurt __________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf * Link to comment Share on other sites More sharing options...
SXGuy Posted March 2, 2008 Author Share Posted March 2, 2008 Thanx for replying, i actually checked that out a little while ago, it looks good, another is a proof of concept work called KProcCheck I just wondered if there was any specific way in Autoit, to detect processes using a DKOM rootkit basically, but i guess not. Thanks for your help anyway. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now