In the previous example, the TDSS rootkit DLL performed a check to see if it is running under spoolsv.exe. We modified the bytes in the program so that the DLL can run under notepad.exe instead of spoolsv.exe. What if you wanted to reverse the logic so that DLL can run under any process (other than spoolsv.exe)? To do that, we can change the jnz instruction to jz by selecting Edit | Patch program | Assemble, as shown in the following screenshot. This will reverse the logic and cause the program to return from the function without exhibiting any behavior when the DLL is running under spoolsv.exe. Whereas when the DLL is running under any other process, it exhibits malicious behavior. After changing the instructions, ...