Basic checks navigation menu.
Full modules list menu.
DESCRIPTION
Another solution for detecting hidden processes is to brute-force
PID with the OpenProcess() API to check if a specific process is
active (or not). If OpenProcess() returns a non null handle, then it
means that there is an active process.
DESCRIPTION
A list is retrieved using the main EPROCESS chained list in Windows
kernel. It's an easy task to hide from this technique.
DESCRIPTION
This one looks at every ETHREAD structure from an
undocumented schedule table, and finds its associated EPROCESS structure.
This allows to detect advanced rootkit features like "FUTo enhanced" ones.
Not available.
DESCRIPTION
Another solution for detecting hidden processes is to seek both open
TCP and UDP ports. This module tries to bind ports. If it fails, then
it means that there is an active process.
Not available.
DESCRIPTION
This module reveals hidden registry entries created by rootkits and
malwares. It loads its own kernel mode driver and directly manipulates
some system data.
Not available.
DESCRIPTION
This module checks differences between the driver lists retrieved using
both Windows API (which is easy to hide from) and Kernel techniques. To do
so, this module uses an advanced technique which looks at every OBJECT
structure or type “Driver”.
Not available.