cd ../../Random Posts

Is there a hidden process?

1 minute read

When Windows creates a process, at kernel side NtCreateUserProcess calls PspAllocateProcess, which calls ObCreateObjectEx with PsProcessType as object type parameter:

2

3

PsProcessType is the instance of _OBJECT_TYPE:

1

Seems like TotalNumberOfObjects field of _OBJECT_TYPE refers to the number of total objects, in our case, it’s a number of processes.

We can get a list of processes via parsing ActiveProcessLinks and compare it to TotalNumberOfObjects field.

4

This way we can detect if there is a hidden process, but not which one.

Any feedback appreciated: @_qaz_qaz