.In "Example: Hiding Processes using an SSDT Hook" of the chapter4 of this book, the hidding algorithm enumerates through the call result of SYSTEM_PROCESSES array. Then, it add any process time to the idle process.
But, it seems that this algorithm assumes the "idle" process is the last entry in the SYSTEM_PROCESSES array. What if the "idle" process in the middle of the array or even the first entry? I think the algorithm will fail.
If I have misunderstood the point, please feel free to point out. Thanks!
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}