This topic is just to give simple idea on Windbg scripting. I am not employing any new technique to do this. There are lot of articles and codes on how to enumerate processes in kernel mode using ActiveProcessLinks in EProcess Structure.Please set windows debugging symbols before using the script.
Please go through Windows Internals and windbg commands before going through the article. Also get some idea on windbg scripting things MASM and C++ syntax
I start with the command PsActiveProcessHead and then use the ActiveProcessLinks to traverse the processes
Script to do the same thing . Script can be run from windbg kernel debugger using the following commad
I have tested the script on XP Sp2. Below is the script
The script needs some more workarounds.
I would be enhancing this script to find process hidden by rootkits using other structures like HandleTable etc. This would be helpful in cases where malware does not allow tools like GMER to run on the machine.
I came across a C code on internet that uses the technique . I am not sure who the author is. Anyway thanks to the author . The site is offline so I am pasting the code here.