Enumerate Processes in Driver

OSR_Community_User · September 30, 2009, 10:39am

Hello

Is there any way to enumerate processes in a driver ?
Can we do that by accessing IdleProcess->SessionProcessLinks field ?

–
Avadhoot Punde

Doron_Holan · September 30, 2009, 10:44am

No, there is no safe way to do this. Why do you want do to this?

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

From: Avadhoot Punde
Sent: Wednesday, September 30, 2009 7:40 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Enumerate Processes in Driver

Hello

Is there any way to enumerate processes in a driver ?
Can we do that by accessing IdleProcess->SessionProcessLinks field ?

–
Avadhoot Punde
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

anton_bassov · September 30, 2009, 2:04pm

> Why do you want do to this?

I bet it is somehow related to rootkit detection - apparently the OP plans to enumerate processes and threads and check whether every PID he had obtained from the thread list has its corresponding entry on the process list. A theory behind it is that rootkit may remove a culprit process from the process list but it still has to leave its threads on the thread list - otherwise the target process’s threads are supposed to be unshedulable.

IMHO, this assumption if pretty naive - if rootkit decides to move the system upside down and inside out it may well go all the way and remove threads from the thread list as well. In such case all it has to do is to provide a “container” thread that will appear on the thread list and do custom scheduling of hidden threads, plus hook IDT and service dispatcher to make sure that the target thread hides behind its “official” container whenever system gets entered…

Anton Bassov

Cay_Bremer · October 1, 2009, 10:21am

Hello,

you could use the somewhat documented ZwQuerySystemInformation() in
conjunction with the somewhat documented SystemProcessInformation class:
http://msdn.microsoft.com/en-us/library/ms725506.aspx

Cay

On Wed, 30 Sep 2009 16:38:30 +0200, Avadhoot Punde
wrote:
> Hello
>
> Is there any way to enumerate processes in a driver ?
> Can we do that by accessing IdleProcess->SessionProcessLinks field ?