Is there a hidden process?1 minute read
When Windows creates a process, at kernel side
PspAllocateProcess, which calls
PsProcessType as object type parameter:
PsProcessType is the instance of
TotalNumberOfObjects field of
_OBJECT_TYPE refers to the number of total objects, in our case, it’s a number of processes.
We can get a list of processes via parsing
ActiveProcessLinks and compare it to
This way we can detect if there is a hidden process, but not which one.
Any feedback appreciated: @_qaz_qaz