I just made an example like redirecting ntoskrnl.exe to cmd.exe in fact i just use memory dump of the ntoskrnl.exe(i hooked) to xxx.exe and redirect ntoskrnl.exe to xxx.exe
then the image in memory and on disk are the same.
Ah, I see :) Then this is the weakness of mismatch detection algorithm. I'll improve and make a fix. Thanks vxk ;)
