I've got a memory forensics presentation coming up next week and I'd like to use a sample that will illustrate a crossview example.
 
Specifically, I'd like to use an example that hides from pslist on the running system (don't want a DKOM example) but we can find it using Volatility.
I'd like it to be something running and not a process injection sample.
 
Does someone have a suggestion which one may provide a good illustration?
 
Thanks,
Mike