Accessin the Page Table Entries under Win 7 32 Bit PAE

See more:

Windows

Hello,

it may be not specific to the hiding of drivers but is in same category: malware/rootkit (detection). My question is: how can I access the page directory entries / page table entries under Windows 7 32 Bit PAE with a kernel driver?

I tried to dump with my kernel driver the values at 0xC0600000, 0xC0000000, 0xC0300000 - but got only zeroes and/or unusable results - also by "attaching" with KeStackAttachProcess/KeAttachProcess (The drivers are already in context of System Process). With LiveKd/WinDbg I got correct values. What I'm doin wrong? (In a driver coding tut of "HolyFather" the driver accessed driectly the area - without attaching...)

Reason: I was searching for malware in my PC - with "bare-hands", also LiveKD etc. I was stumbling around and checked with my driver some memory areas (by dumping it to DbgView) as I looked at the System-PDE-Area - with the above mentioned results.