I’m planning to write a Driver that unhooks the rootkit hooks in the miniport layer (hooks of device objects or major function array)
but i want my driver to be generic and work in most windows versions and both 32 and 64 bit windows
the problem is patchguard, so will patch guard block attempts to modify the memory image of the miniport drivers?
you might be asking how the rootkit patched it in the first place then, its a bootkit so it bypassed the patchguard protections but didn’t disable it.
and if it is protected by patch guard, then how can i unhook the hooks in the driver module?!