Reading User-Mode Process Memory from Kernel-Mode Code in Windows
One of the popular techniques is based on the usage of a pair of functions: KeStackAttachProcess attaches the current thread to the address space of the target process. This function is used by both Antiviruses and Rootkits. Also, I found some of my old screenshots of disassembled ProcessXP that also uses this approach The final snippet code could… Read More »