MemoryMonTest is a set of test projects for MemoryMon. It currently consists of the following projects:
- NoImage
- Unlinked
NoImage copies its code onto non-paged pool and runs on it. NoImage periodically runs code as a DPC and a work item, and print outs its address. All those code execution should be reported by MemoryMon.
Note that this driver reports failure on load with an error code 995. It is designed behaviour, and code is already copied and executed, however.
Unlinked installs a process notify routine, and then, unlinks itself from PsLoadedModuleList to hide itself from being listed by system monitoring tools. The notify routine debug prints process creation and termination activities, and should be reported by MemoryMon.
Beware that a bug check 109 will be issued on 64bit systems due to PatchGuard, as unlinking modules from PsLoadedModuleList is prohibited.
On the x64 platform, you have to enable test signing to install the driver. To do that, open the command prompt with the administrator privilege and type the following command, and then restart the system to activate the change:
bcdedit /set {current} testsigning on
To install the driver, extract the archive file and use the 'sc' command. For installation:
>sc create NoImage type= kernel binPath= C:\Users\user\Desktop\NoImage.sys
>sc start NoImage
For uninstallation:
>sc stop NoImage
>sc delete NoImage
- x86 and x64 Windows 7, 8.1 and 10
This software is released under the MIT License, see LICENSE.