Just thinking out loud here... And I know it won't do 98/ME users any good... but what about enabling the kernel debugger on your XP/2K box, hooking serial ports together between the two boxes, and letting a script on the SEQ box get the memory info it needs that way?

Seems to me that a sniff from the kernel-level would be transparent to any application running at a higher level... or am I smoking some really bad dope?

NS

I tried this, but i did not come very far, but this might been lack of time. But i dont know if it is detectable ... will post results later

With KD you can only debug Kernel-mode drivers.

You could use CDB or NTSD (I haven't used them) to try to debug user-mode eqgame.exe, but I bet my balls that this will set the I-am-being-debugged flag. This is an unwise thing to do as they only needs to check IsDebuggerPresent() to ban you to hell. And NO, current sniffers in boards DO NOT set this flag as they don't use DebugActiveProcess()

There are some people (including myself) working on a kernel-mode kinda null driver that reads user-mode memory without traces but at least for myself is a very slow try and catch bugs (the blue screen kind) programming mode, the environment is tough and my hacking skills are too rusty. If I finish it someday I will post the skel, don't know about the others.

Edit: clarifying behavior of current sniffers.