Peter[Pan]

The protection you've done is quite cool. My original idea was to modify the structures that the Query would return, and while finding them in physical memory is easy, it appears to create a race condition on program termination (ie. debugger tries to release debug object that REALLY has a zero reference count). Yuch!

It might be possible to hook Query without detection, but I'm begining to think ring-0 might be the only fool-proof way to do this.

Definitely a brain-teaser.