Is there a hidden process?

1 minute read

When Windows creates a process, at kernel side NtCreateUserProcess calls PspAllocateProcess, which calls ObCreateObjectEx with PsProcessType as object type parameter:



PsProcessType is the instance of _OBJECT_TYPE:


Seems like TotalNumberOfObjects field of _OBJECT_TYPE refers to the number of total objects, in our case, it’s a number of processes.

We can get a list of processes via parsing ActiveProcessLinks and compare it to TotalNumberOfObjects field.


This way we can detect if there is a hidden process, but not which one.

Any feedback appreciated: @_qaz_qaz