Hi.
I’m from Brazil and i’m a security analyst. I’m beggining to learn something about code drivers and I have a plan to build a anti-rootkit.
So here my question. I know how to remove a Notify Routine that I created. But how can I remove a Notify Routine that is not mine? I know that it’s possible cause the anti-rootkit XueTr (from China I think) can do this… But how?
Thank you guys
As was already answered to you on the Microsoft forums there is no safe
way to remove a notify routine from a driver you don’t own. There is a
lot of crap out there in the anti-malware space that tries to do this,
but they are as likely to mess up the system as malware.
The only real option is to get the driver out of there and typically to
be safe this has to be done outside of the scope of the windows that is
infected.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:
> Hi.
>
> I’m from Brazil and i’m a security analyst. I’m beggining to learn something about code drivers and I have a plan to build a anti-rootkit.
>
> So here my question. I know how to remove a Notify Routine that I created. But how can I remove a Notify Routine that is not mine? I know that it’s possible cause the anti-rootkit XueTr (from China I think) can do this… But how?
>
> Thank you guys
wrote in message news:xxxxx@ntdev…
>I know that it’s possible cause the anti-rootkit XueTr (from China I think)
>can do this… But how?
They try harder. Not only America got talent. China got talent too 
–pa