Alternate Process Listings

Question 1

Process Object Scanning

Answer 1

This is the pool scanning approach. Remember that the pool tags it finds are nonessentail; thus, they can also be manipulated to evade the scanner.

Question 2

Thread Scanning

Answer 2

Because every process must have at least one active thread, you can scan for _ETHREAD objects and then map them back to their owning process. The member used for mapping is _ETHREAD.Tcb.Process for WIndows Vista and later. Thus, even if a rootkit manipulated the process’ pool tags to hide from psscan, it would also need to go back and modify the pool tags for all process’ threads.

Question 3

CSRSS Handle Table

Answer 3

csrss.exe is involved in the creation of every process and thread (with the exception of itself and the processes that started before it. Thus, you can walk this process’ handle table and identify all _EPROCESS objects that way.

Question 4

PspCid Table

Answer 4

This is a special handle table located in kernel memory that stores a reference to all active process and thread objects. The PspCidTable member of the kernel debugger data structure points to the table. Some rootkit detection tools rely on the PspCid table.

Question 5

Session Processes

Answer 5

The SessionProcessLinks member of _EPROCESS associates all processes that belong to a particular user’s logon session. It’s not an harder to unlink a process from this list, as opposed to the ActiveProcessLinks list. But because live system APIs don’t depend on it, attackers rarely find value in targeting it.

Question 6

Desktop Threads

Answer 6

These structures store a list of all threads attached to each desktop and you can easily map a thread back to its owning process.