Alternate Process Listings Flashcards
Process Object Scanning
This is the pool scanning approach. Remember that the pool tags it finds are nonessentail; thus, they can also be manipulated to evade the scanner.
Thread Scanning
Because every process must have at least one active thread, you can scan for _ETHREAD objects and then map them back to their owning process. The member used for mapping is _ETHREAD.Tcb.Process for WIndows Vista and later. Thus, even if a rootkit manipulated the process’ pool tags to hide from psscan, it would also need to go back and modify the pool tags for all process’ threads.
CSRSS Handle Table
csrss.exe is involved in the creation of every process and thread (with the exception of itself and the processes that started before it. Thus, you can walk this process’ handle table and identify all _EPROCESS objects that way.
PspCid Table
This is a special handle table located in kernel memory that stores a reference to all active process and thread objects. The PspCidTable member of the kernel debugger data structure points to the table. Some rootkit detection tools rely on the PspCid table.
Session Processes
The SessionProcessLinks member of _EPROCESS associates all processes that belong to a particular user’s logon session. It’s not an harder to unlink a process from this list, as opposed to the ActiveProcessLinks list. But because live system APIs don’t depend on it, attackers rarely find value in targeting it.
Desktop Threads
These structures store a list of all threads attached to each desktop and you can easily map a thread back to its owning process.