求助关于暴力枚举pid检测隐藏进程

你好，再见

请教各位关于暴力枚举pid检测隐藏进程
我翻看了OpenArk的源代码，为什么它的代码当中pid每次+4而不是+1呢，有没有相关资料说明？

另外它设置的pid上限为65536，我也没查到相关资料。
很久之前看到过一篇关于进程隐藏的文章，里面提到过4个pid对应一个进程（当时没看懂表述可能有错误）
求大佬们解惑

[C++] 纯文本查看 复制代码

bool PsGetAllProcessV2(__out std::vector<DWORD> &pids)
{
        pids.clear();
        bool result = true;
        for (DWORD i = 8; i < 65536; i += 4) {
                if (!PsIsDeleted(i))    // 通过OpenProcess判断pid对应进程是否存在
                        pids.push_back(i);
        }
        return !pids.empty();
}

https://github.com/BlackINT3/none/blob/master/src/unone/process/unone-ps.cpp#L1348

爱飞的猫

可以看微软的技术博客：
https://devblogs.microsoft.com/oldnewthing/20080228-00/?p=23283

总结：都是巧合。

上面的链接有提到一个更老的文章（连接没了，要找快照）：

Not very well known is that the bottom two bits of kernel HANDLEs are always zero; in other words, their numeric value is always a multiple of 4. Note that this applies only to kernel HANDLEs; it does not apply to pseudo-handles or to any other type of handle (USER handles, GDI handles, multimedia handles...) Kernel handles are things you can pass to the CloseHandle function.

The availability of the bottom two bits is buried in the ntdef.h header file:

//
// Low order two bits of a handle are ignored by the system and available
// for use by application code as tag bits.  The remaining bits are opaque
// and used to store a serial number and table index.
//

#define OBJ_HANDLE_TAGBITS  0x00000003L
That at least the bottom bit of kernel HANDLEs is always zero is implied by the GetQueuedCompletionStatus function, which indicates that you can set the bottom bit of the event handle to suppress completion port notification. In order for this to work, the bottom bit must normally be zero.

This information is not useful for most application writers, which should continue to treat HANDLEs as opaque values. The people who would be interested in tag bits are those who are implementing low-level class libraries or are wrapping kernel objects inside a larger framework.

内核句柄低二位有其他作用，而进程 id 等也是内核句柄。所以低 2 位为零，也就是都是 4 的倍数。

董督秀

为什么它的代码当中pid每次+4而不是+1呢

pid的十进制值需要是4的整数倍。

AntelopeE

可能是多线程环境下减少锁竞争

yymmll

看了下任务管理器里的pid，还真是4的倍数，《Windows Internals》第5章