摘要
PspCidTable表保存着所有进程和线程对象的指针,遍历PspCidTable表可以枚举所有进程包括隐藏进程。分析了windows 7的PspCidTable表的结构,论述了windows 7的PspCidTable表的内存地址获取方法,遍历PspCidTable表的算法,最后给出自动检测的实现步骤及方法。在windows 7操作系统上实验表明可高效枚举所有进程,包括通过挂钩枚举进程的函数或进入内核空间直接修改内核数据来达到隐藏自身目的的进程。
PspCidTable preserves all pointer of processes and threads, Ergodicing PspCidTable can enumerate all processes include hidden processes. The paper analyses the structure of windows 7's PspCidTable, expounds the methed to obtain memory address of windows 7's PspCidTable. The algorithm of Ergodicing PspCidTable, finally brings up the step and methed to automatically detect processes. Experiments on windows 7 operation system showed that the algorithm can enumerate all processes with high efficiency, include processes that hooked functions that enumerated processes or directly entered into kernel space changed kernel data to hide self.
出处
《计算机系统应用》
2011年第9期222-225,共4页
Computer Systems & Applications
基金
衢州职业技术学院科研项目(QZYY1023)
