1 minute read

When Windows creates a process, at kernel side NtCreateUserProcess calls PspAllocateProcess , which calls ObCreateObjectEx with PsProcessType as object type parameter:

PsProcessType is the instance of _OBJECT_TYPE :

Seems like TotalNumberOfObjects field of _OBJECT_TYPE refers to the number of total objects, in our case, it’s a number of processes.

We can get a list of processes via parsing ActiveProcessLinks and compare it to TotalNumberOfObjects field.

This way we can detect if there is a hidden process, but not which one.

Any feedback appreciated: @_qaz_qaz