There is a driver (.sys file in the sys32\drivers directory) that is locking a registry key from being modified. I would like to remove its grip from that key or just terminate it alltogether. are there any utilities or methods someone could recommend for me? Thanks. -b

There's a good chance it uses CmRegisterCallback to monitor deletion or modification of the registry entries. In the ones I've seen the malware driver doesn't actually *prevent* the deletion, it just detects the attempt and immediately queues a DPC or other callback to recreate the entry, you don't even notice the difference.

You could try RKU, I think it unregisters CmRegisterCallback. It will probably suffice, but I found it actually had a pretty bad parsing error when killing some of the driver callbacks, such as PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine and PsSetCreateThreadNotifyRoutine.

If there were multiple callbacks of one type and you deleted say the first one in the list, suddenly RKU wouldn't detect the rest of them anymore. The author apparently was checking for a null pointer in the callback table to find the "end" of the list (usually a maximum of 8 allowed), and the algo didn't take account of that particular situation with multiple callbacks.

I don't remember if the CmRegisterCallback deleter had the same problem, it's a new addition and the parsing error may have been avoided with a different algo. I did quite a bit of testing when developing my own version of a system callback monitor/killer, so that's why I'm aware of those details.


You could also try Ntcore's Filter Monitor, though I'm not sure if it handles CmRegisterCallback yet. Unfortunately I found it wasn't able to reliably detect the driver callbacks it does handle, at least on my particular system.

Good luck

@Kayaker. Thank you so much for the info and the quick response. It feels really good to have made some progress. The RootKit Unhooker has definitely helped. I was able to release what I felt was a strangle-hold on that registry key. All I need to do now is figure out how to do it myself programmatically so that I can automate the process. After that, if I could only find a way to kill/suspend a device driver that is preventing the termination of a regular service.. I'll be set. Everything I'm trying to do could be done easily if I allowed the computer to be rebooted, but I'm trying to accomplish something without the need for a restart. Anyway, again, thanks so much.. I've tried about everything I could think of until you showed me that app. -b

It sounds like you are looking for a surgical solution, but I tend to opt more towards the sledge hammer version.

If the driver is something that you don't actually NEED, reboot with a Linux livecd, mount the drive, and rename the driver. (Or just move it somewhere safe).

Then, reboot windows, do whatever you need to the registry, and be on your way.

I might also suggest running the driver through IDA, and having a look at the API functions it calls. That might expose what's going on as well.

@Frank

Thanks for the reply. However, as I said.. i could easily accomplish all of this if I allowed for a reboot.. but i'm trying to do it without rebooting. Thanks. -b