From bb97b2012dc36682d5c7001d289b5a1839196053 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sun, 6 Dec 2020 22:46:02 +0000 Subject: [PATCH] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2c19fc3..dd83f28 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ While looping over process information structures you can `PsLookupProcessByProc that process. You can KeStackAttachProcess to this process and call MmGetVirtualForPhysical to get the hyperspace mappings of this processes PML4. This hyperspace address is the virtual address of the PML4, you can simply scan this for inconsistant PML4E->PFN's as described above. You can also scan for kernel memory in usermode. -This is a simple example of checking for kernel memory in usermode... +This is a simple example of checking for kernel memory in usermode and for invalid PFN's. Keep in mind that this will not check KVA shadowing usermode PML4. ```cpp // for loop enumorating over SYSTEM_PROCESS_INFORMATION results... KeStackAttachProcess(DesiredProcess, &ApcState);