Previously, you saw how process listing could be manipulated to hide a process; you also understood how psscan uses pool tag scanning to detect the hidden process. It turns out that _POOL_HEADER (which psscan relies on) is only used for debugging purposes, and it does not affect the stability of the operating system. This means an attacker can install a kernel driver to run in the kernel space and modify the pool tags or any other field in the _POOL_HEADER. By modifying the pool tag, an attacker can prevent the plugins that rely on pool tag scanning from working properly. In other words, by modifying the pool tag, it is possible to hide the process from the psscan. To overcome this problem, The psxview plugin ...