|
I wonder if it would be possible to open \Device\PhysicalMemory and map it, and search for the DebugObject structure, and then physically decrement the counts prior to run?
I think it'd be a cute plug-in for Olly, no?
Granted, there are some memory regions to stay away from while searching, but it'd be all Ring 3...
|