Script to unhide processes in Windows (DKOM)

Maria Luisa Redondo Velázquez 0 Reputation points
2023-03-01T23:54:40.5433333+00:00

Hi colleagues.

I need an script .cpp (C++) to unhide processes in Windows. It needs to inform if there is any hidden process in the system by using EPROCESS and comparing results with the list generated by calling CreateToolhelp32Snapshot or similar function which can provide the list of processes. Any differences should highlight hidden processes (basically use cross-view method or difference based method).

Can you provide some support / help or any script which can be used for this purpose?

It would be much appreciated.

Thanks in advance.

Regards.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,618 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,527 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,941 Reputation points
    2023-03-03T11:06:57.1033333+00:00 
    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

It is actually depending on how hidden the process is. But you can try these command:

#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
#include <vector>
 
// Structures used by the EPROCESS structure
struct EPROCESS_BASIC_INFORMATION
{
    ULONG Reserved1;
    PVOID PebBaseAddress;
    PVOID Reserved2[2];
    ULONG UniqueProcessId;
    PVOID Reserved3;
};
 
struct EPROCESS
{
    EPROCESS_BASIC_INFORMATION     BasicInfo;
    LIST_ENTRY                    ProcessListEntry;
    ULONG                         SessionId;
    PVOID                         Reserved1[3];
    ULONG                         UniqueProcessId;
    PVOID                         Reserved2;
    ULONG                         HandleCount;
    ULONG                         Reserved3[2];
    ULONG                         VmCounters;
    PVOID                         Reserved4[2];
    ULONG                         IoCounters;
};
 
// Function to list processes
void ListProcesses()
{
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapshot == INVALID_HANDLE_VALUE)
        return;
 
    PROCESSENTRY32 pe;
    pe.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hSnapshot, &pe))
    {
        std::vector<ULONG> processIds;
        do
        {
            processIds.push_back(pe.th32ProcessID);
        } while (Process32Next(hSnapshot, &

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more