LAPTOP i7

pslist:
"pslist" module utilizes the same algorithm as the tasklist command that would be executed on the live computer. And also, Windows Task Manager uses the same approach as well.
The above mentioned command "pslist" traverses the list of active process structures that the Windows kernel maintains.

The windows kernel uses the EPROCESS data structure to describe each running process. Contents of the EPROCESS structure allow the OS to determine where in memory the code and process address space is located and specifies the threads associated with the process. This structure also contains pointers to the structure that allows Windows( and memory analysis tools) to map from virtual memory to physical memory. In addition, the EPROCESS data structure contains pointers, which make up a doubly-linked circular list of active processes.  A forward pointer from one process EPROCESS structure points to the next process EPROCESS structure; a backward pointer specifies the address of the previous process EPROCESS structure. And, this doubly linked list of EPROCESS structure is pointed by PsActiveProcessHead

Fig. 1

The linked list as shown in fig.1 is used by tools such as Windows Task Manager,tasklist and Volatilitys pslist to display the running processes to the system.
However, malicious process can remove EPROCESS block from this list,while continuing to run. This list is not used by the kernel scheduler to actually change context and execute the process.Therefore, one method used by rootkits to hide processes is simply to unlink the process from the active process list. Once unlinked , rootkit nicely hides the process from most standard process enumeration tools.