9. Back in WinDbg
kd> e ehdrv+0x0001c6e0 c3
0xC3 == RET opcode
After this patch, the notification callback will do nothing
Unlinking from the callbacks list is also doable
● Requires more work ...
● … but is less detectable (no code alteration)
10. Conclusion
Cons
● You need kernel write access
○ Being able to write a single NULL byte is enough,
though
Pros
● Will kill any security tool
● The software will still be “active and running” from a
monitoring point of view - just not being notified