OssieFromDK
Reputation: 59
Detect EPROCESS and PsLoadedModuleList tamper from kernel
Is it possible to detect if stuff like the EPROCESS struct and PsLoadedModuleList has been tampered with from Kernel? I guess what I'm looking for is a "PatchGuard" like solution do detect changes, but since PatchGuard can be disabled, I'd like to do my own checks. From what I understand PatchGuard stores a checksum of the structs and checks if they match periodically or something like that?
I just don't see how this would work for me, since a process could have already been unlinked before my checks run the first time, and thereby the first checksum would not include the hidden process.
If anyone has any smart ideas I'm all ears
Thanks
Upvotes: 0
Views: 28
Answers (0)
Related Questions
- The Definitive C++ Book Guide and List
- What are the basic rules and idioms for operator overloading?
- How to set, clear, and toggle a single bit
- Image Processing: Algorithm Improvement for 'Coca-Cola Can' Recognition
- Why is reading lines from stdin much slower in C++ than Python?
- What is the difference between const int*, const int * const, and int * const?
- When should static_cast, dynamic_cast, const_cast, and reinterpret_cast be used?
- What are the differences between a pointer variable and a reference variable?
- What is the copy-and-swap idiom?
- What is the difference between #include <filename> and #include "filename"?