Well in certain cases you want a local module/process that can do certain things easier, say open a handle and read/write memory. You then use the higher level of a driver to protect that module or process but it becomes difficult in these scenarios when there are equally powerful prevention/evasion techniques.
I am not patching like BlackBone does, I am enumerating through the VAD, locating my loaded module and then nulling the string entry ("blabla".dll) and is PG safe and should remain that way. I believe the issue is due to not using obRegisterCallbacks correctly in this environment so after initating that and restricting access to my process that the module is cloaked into results are now as expected for all tools checked.
Ofcourse Device\\PhyiscalMemory access or indeed VMMAP type solutions won't be prevented with this method.
Its also good to open this type of discussion I think.
Attachment of view of strings in memory now, seems that ObRegisterCallbacks was the issue.
You do not have the required permissions to view the files attached to this post.