A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #25311  by kerpow
 Sun Feb 22, 2015 5:02 pm

i am reviewing a security tool currently for x64 which find hidden kernel modules and protected processes by using MmPhysicalMemoryBlock described here;

http://www.msuiche.net/2008/09/17/retri ... t-version/

So the theory is this function is used to get a dump of physical memory to then query targets such as Attacker.sys / Attacker.exe but it is done periodically to avoid lagging out the system or random bugchecks.

Now previously unloading the driver would suffice which I detail here;

http://www.kernelmode.info/forum/viewto ... =14&t=3678

However this is now patched so does anyone have any experience with this function and its use in an anti-evasion scenario.