hi,
i am reviewing a security tool currently for x64 which find hidden kernel modules and protected processes by using MmPhysicalMemoryBlock described here;
http://www.msuiche.net/2008/09/17/retri ... t-version/
So the theory is this function is used to get a dump of physical memory to then query targets such as Attacker.sys / Attacker.exe but it is done periodically to avoid lagging out the system or random bugchecks.
Now previously unloading the driver would suffice which I detail here;
http://www.kernelmode.info/forum/viewto ... =14&t=3678
However this is now patched so does anyone have any experience with this function and its use in an anti-evasion scenario.
Thanks,
i am reviewing a security tool currently for x64 which find hidden kernel modules and protected processes by using MmPhysicalMemoryBlock described here;
http://www.msuiche.net/2008/09/17/retri ... t-version/
So the theory is this function is used to get a dump of physical memory to then query targets such as Attacker.sys / Attacker.exe but it is done periodically to avoid lagging out the system or random bugchecks.
Now previously unloading the driver would suffice which I detail here;
http://www.kernelmode.info/forum/viewto ... =14&t=3678
However this is now patched so does anyone have any experience with this function and its use in an anti-evasion scenario.
Thanks,
