Windows Task Manager
, tasklist
or Get-Process
cmdlet in Powershell._EPROCESS
is a kernel memory structure that describes system processes (or in other words - each process running on a system has its corresponding _EPROCESS
object somewhere in the kernel) as we know them. It contains details such as process image name, which desktop session it is running in, how many open handles to other kernel objects it has, what access token it has and much more.ActiveProcessLinks
. It is a pointer to a structure called LIST_ENTRY
:doubly-linked list
. It contains records (also called nodes) that are linked to each other, meaning each node in the list contains two fields (hence doubly), that reference previous and the next record of that linked list.LIST_ENTRY
is the doubly-linked list equivalent data structure in Windows kernel and is defined as: FLINK
(forward link) and BLINK
(backward link) are the equivalents of Next
and Previous
references to the next and previous element in the list in our graphical representation of the doubly-linked list discussed above.cmd /c tasklist
or get-process
is invoked to get a list of all running processes on the system, Windows walks through the doubly-linked list of EPROCESS nodes, utilizing the LIST_ENTRY
structures and retrieves information about all currently active processes.get-process
cmdlet or similar is issued in the userland.ActiveProcessLinks.Flink
in EPROCESS 1 will be pointed to EPROCESS 3 ActiveProcessLinks.Flink
ActiveProcessLinks.Blink
in EPROCESS 3 will be pointed to EPROCESS 1 ActiveProcessLinks.Flink
notepad
process like so:EPROCESS
structure is located at ffffb208f8b304c0
:ActiveProcessLinks
, the doubly-linked list, populated with two pointers (Flink and Blink):dt _list_entry ffffb208f8b304c0+2f0
or by dumping two 64-bit long values from ffffb208f8b304c0+2f0
:ActiveProcessLinks
from the EPROCESS structure; 2. reading two 64-bit values from the EPROCESS+0x2f0
) that our notepad's:ffffb208`f8d1e7b0
ffffb208`f8b89370
ffffb208`f8d1e7b0
- the next EPROCESS node to our notepad's EPROCESS: ffffb208`f8d1e7b0
. This is because FLINK points to EPROCESS.ActiveProcessLinks
and ActiveProcessLinks
is located at offset 0x2f0 from the beginning of the EPROCESS locationImageFileName
in the EPROCESS structure0x000009cc
and 0x00001464
respectively as shown below:ffffb208`f8d1e7b0
is the location of EPROCESS.ActiveProcessLinks
which will be important later:ffffb208`f8b89370
is the location of EPROCESS.ActiveProcessLinks
which will be important later:ffffb208`f8b89370
to svchost's (0x9cc) FLINK at ffffb208`f8d1e7b0
ffffb208`f8d1e7b0+8
(+8 because LIST_ENTRY is two fields FLINK/BLINK and are 8 bytes each on x64) to svchost's (0x1464) FLINK at ffffb208`f8b89370
get-process
or ps notepad
in powershell and observe that notepad.exe has been successfully hidden:ps notepad
returns nothing, although notepad is visible in the taskbar and underneath the Windows Task Manager: