#1
|
|||
|
|||
How to remove Filemon driver from mem?
I know filemon keeps filem701.sys (I think) resident after exiting, but some Securom protected games detect it and will not run until I reboot, which is a pain.
How do I safely remove Filemons driver from mem so I can run Securom games without a reboot? Using Filemon 7.03 on WinXP Pro. |
#2
|
|||
|
|||
Check the sysinternals forums. There is (at least) a thread regarding this issue, and the quick answer is "You can't".
There is no 100% safe way of unloading a kernel driver, that's why the author didn't implement this. Your options seem to be: - reboot to unload the driver - patch the app+driver to avoid detection whenever you load it - code your own almost-safe way to unload the driver (?) |
#3
|
|||
|
|||
Thanks Mkz, I suspected it wasn't going to be easy!
Patching seems the best solution, except I don't know what to patch nor how, unless it's a case of a bit of hexediting. |
#4
|
|||
|
|||
Quote:
and even then you can patch. |
#5
|
|||
|
|||
Quote:
Quote:
Good luck. |
#6
|
|||
|
|||
Quote:
You need at least to change the driver's name, that's the most straightforward way of detection. Rename the driver file - I believe it's a binary resource inside the app's exe. Also, the name of the device it creates should be changed, both in the .sys file, and in the app when it connects to the driver. I don't know if they (still) work, but check the patches in this thread: http://forum.exetools.com/showthread.php?t=6645 |
#7
|
|||
|
|||
MKz, those patches just patch the window name, not the driver.
The driver itself is digitally signed too, so tampering with it causes an 'invalid driver' message!! The driver is located in the filemon.exe between 0x19F90 and 0x2C3CF (v7.03 of filemon.exe). Changing the name of the driver file 'filem701.sys' does not work either. There is reference to FILEMON701 in the file so this must be the connection between filemon and the driver, but seeing as you can't tamper with the driver it seems this is going to be impossible? |
#8
|
|||
|
|||
Seems my prayers have been answered, by Mr Gates no less!!
Apparently M$ acquired the Sysinternals website in July 2006 and their utilities are now available from M$: Code:
http://www.microsoft.com/technet/sysinternals/default.mspx Code:
http://download.sysinternals.com/Files/ProcessMonitor.zip So for now I can monitor without 'certain' copy protections complaining! |
#9
|
|||
|
|||
heh and guess what securom will probably blacklist next...
but yeh, as mentioned by the others filemon and regmon do not kill the driver (which they really should... its just bad coding not to do so) so the only way to do it is reboot... hmm actually, there is another way, but it'd be requiring hooks etc and faking the driver wasn't running.. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Filemon and Regmon on 64 bit windows | omidgl | General Discussion | 2 | 10-24-2010 00:32 |