Here its an IDA plugin, line 117:
https://github.com/nihilus/idastealth/blob/master/src/StealthDriver/StealthDriver/StealthImplementation.cpp
it uses MmBuildMdlForNonPagedPool + MmMapLockedPages
it’s unusual for me to see this and it seems to work fine, how is it possible and why?
–
Alex don