Detecting Hidden Processes
Introduction to WinDbg
WinDbg is a kernel-mode and user-mode debugger that's included in Debugging Tools for Windows.
For information about how to get Debugging Tools for Windows, see Download and install the WinDbg Windows debugger. After you have installed the debugging tools, locate the installation directories for 64-bit (x64) and 32-bit (x86) versions of the tools. For example:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86
Step By Step Guide
Attach WinDbg to the Target System: Open WinDbg as an administrator and attach it to the target system or dump file.
Set Context to Kernel Mode:
List All Active Processes: Use the
!process 0 0command to list all processes. This lists active processes maintained by thePsActiveProcessHeadlist.
Manually Search for Process Objects: Hidden processes may still have allocated
EPROCESSstructures. Search the kernel memory for process objects using:
Useful Commands
vertarget
Show Target Computer Version
!cpuid
Displays information about the processors on the system
.sympath
Set Symbol Path
!lmi
Displays detailed information about a module
|
Process Status
~
Thread Status
lm
List Loaded Modules
?
Evaluate Expression
x
Examine Symbols
bp
Set Breakpoint
bl
Breakpoint Enable
g
Go
r
Registers
dp
Display Memory - Pointer-sized values
dps
Display Referenced Memory - Display known symbols
k
Display Stack Backtrace
ln
List Nearest Symbols
da
Display Memory - ASCII characters
dc
Display Memory - Double-word values and ASCII characters
dt
Display Type
dS
Display String - UNICODE_STRING structure
du
Display Memory - Wide char characters
db
Display Memory - ASCII characters
dw
Display Memory - Word values
dd
Display Memory - Double-word values
dq
Display Memory - Quad-word values
u
Unassemble
ub
Unassemble backward
uf
Unassemble Function
REFERENCES
Last updated