IceSword How to list the hidden processes

The IceSword is pspcidtable the table to traverse the process, pspcidtable is not exported by Ntoskrnl.exe. This involves positioning

Pspcidtable of the problem. IceSword is the way to locate pspcidtalbe by searching for a feature string. Pspcidtable is a handle_talbe structure.

The Pspcidtalbe variable is referenced in the PSLOOKUPPROCESSBYPROCESSID function. IceSword from the first dozens of bytes of the PSLOOKUPPROCESSBYPROCESSID function

Search for Pspcidtalbe variables inside. Inside the IceSword is not able to debug even with WinDbg, Softice,syser debugger under the breakpoint debugging, is also unable to break.

Of course you can't debug with the debugger, because Icesword.exe will reset the interrupt handler for INT 1,int 3 in a timer. Set into

The default handler function in Windows Ntoskrnl.exe. Even if you use a hardware breakpoint register, it doesn't work. Some people would say that since it was set up as Windows Ntoskrnl.exe

You can use WinDbg dual-machine debugging in the default handler function. IceSword also did the processing, IceSword will determine whether the kernel is allowed through kddebuggerenabled variables

Debugging. If you allow debugging. IceSword will invoke the Kddisabledebugger function to prevent kernel debugging.

First part

(written too thin, for fear of being used by RootkIT's author.) So the first part is removed. If you need to be able to contact me alone.

Write the second part

Here, by the way, in the two analysis IceSword encountered in the debugging of small traps here, the code fragment listed, I hope the author to forgive

. TEXT:000XXXF0 mov [Ebp+iocontrolcode], eax

. TEXT:000XXXF3 mov eax, [esp+5ch-6ch]; Anti-debug code

. Text:000xxxf7 push EAX

. TEXT:000XXXF8 mov eax, [esp+60h-6ch]

. TEXT:000XXXFC Pop EBX

. TEXT:000XXXFD cmp eax, ebx

. text:000xxxff JZ Short loc_1240b; If not debugged, it jumps

. TEXT:000XXX01 mov eax, 200EDBh

. text:000xxx06 not EAX

. text:000xxx08 push EAX

. text:000xxx09 Pop EDI

. text:000xxx0a Stosd

. TEXT:000XXXF3 mov eax, [esp+5ch+6ch] when stepping into this instruction or setting a breakpoint on this instruction, because when the debugger pops up on this instruction, it will

Use the stack of the debugger to save the EFLAGS,CS,EIP (if int 1, or int 3 processing functions use the task door to solve the problem.) For example, when code executes to this instruction

ESP = 805e4320h The value of the EAX value is [esp+5ch-6ch]=[esp-10h]=[805e4320h-10h]=[805e4310h] after the execution of this instruction.

When stepping into the. Text:000xxxf8 mov eax, [esp+60h-6ch] instruction Esp=805e432ch thought it was in the stack a eax so esp=805e432ch,

After the execution. TEXT:000XXXF8 mov eax, [esp+60h-6ch] when the instructions eax = [esp+60h-6ch]=[esp-ch]=[805e432ch-ch]=[805e4310h]

If the value of the same address is read without debugging, two value comparisons should be the same. TEXT:000XXXFD cmp eax, ebx comparison of this instruction

should be the same. This command. Text:000xxxff JZ short loc_1240b jump directly after execution.

If it is debugged by the debugger. Text:000xxxff JZ short loc_1240b does not jump. If you do not jump, the following code overrides the current ethread of the system

Pointer. The next call to many system functions will cause the system to crash and crash into the system module, which can mislead you in locating errors. Ha ha

. text:000xxx68 Push 1; Alignment

. text:000xxx6a push 40h; Length

. text:000xxx6c push Currenteprocessobject; Address

. text:000xxx72 Call Ds:probeforread

Here is intentionally make an exception to achieve the jump. If you step on the. text:000xxx72 Call Ds:probeforread command, the debugger will run away,

That means exiting from the debugger and not continuing.

Part III

Next to our pspcidtable we found the pspcidtable variable, pspcidtable [this handle_table's handle table holds pointers to all process and thread objects.

The PID (process id) and ThreadID (thread ID) are the indexes in this handle table. This handle_table does not belong to any process, and there is no chain on the handle_table chain. Global variables

The pspcidtable is a pointer to this handle_table. This handle_table is a little different from the other handle_table, which is the Handle_table_entry

The first 32bIT is the object body pointer (which needs to be converted, of course) instead of the object header pointer (object pointer is the object body pointer). (especially in [] the words are not written in the online copy of the

Here special thanks to "Jiurl play Win2K process thread article handle_table" article author: jiurl)

We have to think of ways to traverse the pspcidtable handle table to iterate through all the processes of the system. IceSword in order to traverse this table he used the system for the public Ntoskrnl.exe

Exenumhandletable the exported function.

IceSword navigates to the Exenumhandletable function exported by Ntoskrnl.exe.

This function is a function that is not exposed.

The function's prototype may be VOID stdcall exenumhandletable (Pulong handletable, pvoid Callback, pvoid Param, Phandle Handle);

The parameter Pulong handletable can be used as the pspcidtable parameter.

The pvoid Callback type is bool (*exenumhandletablecallback) (Handle_talbe_entry*,dword pid,pvoid Param) function pointer.

The pvoid Param parameter is the argument passed to the callback function.

Phandle Handle OPTIONAL This parameter I don't know what it means. Said I also can not use him, so also ignore him, let him go.

When the exenumhandletable function is called, the function invokes a callback function each time it enumerates to a handle in the table.

When the calling Callback callback function returns a value of 0 o'clock, the enumeration handle table continues, and the enumeration is stopped if it is returned to 1 o'clock.