Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 4» 2006.Jun


Next: Thread Objects Up: Found An Object, Now Previous: Found An Object, Now   Contents

Process Objects

Here is a brief list of things to check when scanning for EPROCESS objects.

  • Compare against a high level API such as kernel32!CreateToolhelp32Snapshot.
  • Compare against a system call such as nt!NtQuerySystemInformation.
  • Compare against the EPROCESS->ActiveProcessLinks list.
  • Does the process have a valid list of threads?
  • Can PsLookupProcessByProcessId open its UniqueProcessId?
  • Is ImageFileName a valid string? zeroed? garbage?