本文已被:浏览 2106次 下载 5018次
Received:December 24, 2010 Revised:February 02, 2011
Received:December 24, 2010 Revised:February 02, 2011
中文摘要: PspCidTable 表保存着所有进程和线程对象的指针,遍历PspCidTable 表可以枚举所有进程包括隐藏进程.分析了windows 7 的PspCidTable 表的结构,论述了windows 7 的PspCidTable 表的内存地址获取方法,遍历PspCidTable 表的算法,最后给出自动检测的实现步骤及方法.在windows 7 操作系统上实验表明可高效枚举所有进程,包括通过挂钩枚举进程的函数或进入内核空间直接修改内核数据来达到隐藏自身目的的进程.
中文关键词: 进程 PspCidTable 指针 内核
Abstract:PspCidTable preserves all pointer of processes and threads, Ergodicing PspCidTable can enumerate all processes include hidden processes. The paper analyses the structure of windows 7's PspCidTable, expounds the methed to obtain memory address of windows 7's PspCidTable. The algorithm of Ergodicing PspCidTable, finally brings up the step and methed to automatically detect processes. Experiments on windows 7 operation system showed that the algorithm can enumerate all processes with high efficiency, include processes that hooked functions that enumerated processes or directly entered into kernel space changed kernel data to hide self.
keywords: process PspCidTable pointer Kernel
文章编号: 中图分类号: 文献标志码:
基金项目:衢州职业技术学院科研项目(QZYY1023)
| Author Name | Affiliation |
| ZHOU Li-Rong | Library, Quzhou College of Technology, Quzhou 324000, China |
| MA Wen-Long | Information and Engineering College, Quzhou College of Technology, Quzhou 324000,China |
| Author Name | Affiliation |
| ZHOU Li-Rong | Library, Quzhou College of Technology, Quzhou 324000, China |
| MA Wen-Long | Information and Engineering College, Quzhou College of Technology, Quzhou 324000,China |
引用文本:
周利荣,马文龙.Windows 7 遍历PspCidTable 表检测隐藏进程.计算机系统应用,2011,20(9):222-225
ZHOU Li-Rong,MA Wen-Long.Windows 7 Ergodice PspCidTable to detect hidden Processes.COMPUTER SYSTEMS APPLICATIONS,2011,20(9):222-225
周利荣,马文龙.Windows 7 遍历PspCidTable 表检测隐藏进程.计算机系统应用,2011,20(9):222-225
ZHOU Li-Rong,MA Wen-Long.Windows 7 Ergodice PspCidTable to detect hidden Processes.COMPUTER SYSTEMS APPLICATIONS,2011,20(9):222-225
