@ -98,6 +98,51 @@ pml4e at -> 272 (0x0000000127957880)
// ...
```
You can simply call `NtQuerySystemInformation` - `SystemProcessInformation` and enumorate all running processes (BattlEye already does this) to obtain each processes PID.
While looping over process information structures you can `PsLookupProcessByProcessId` to obtain the PEPROCESS, then add 0x28 to this PEPROCESS to get the DirectoryTableBase of
that process. You can KeStackAttachProcess to this process and call MmGetVirtualForPhysical to get the hyperspace mappings of this processes PML4. This hyperspace address
is the virtual address of the PML4, you can simply scan this for inconsistant PML4E->PFN's as described above. You can also scan for kernel memory in usermode.
This is a simple example of checking for kernel memory in usermode...
```cpp
// for loop enumorating over SYSTEM_PROCESS_INFORMATION results...
// check to see if there is kernel memory in usermode...
for (UINT16 idx = 0; idx <256;++idx)
if(!HyperSpacePml4[idx].UserSuperVisor)
// kernel memory was found in usermode...
}
KeUnstackDetachProcess(&ApcState);
```
### Simple Kernel Pool Scans (AMD Version)
The AMD varient of this project is already detected by EAC as its allocated in a kernel pool with no protections. Simple scans for `sub rsp, 28h`, `add rsp ?, ret` will