@Tigzy
Files by attaching it's device to fs driver (ntfs).
Monitoring + keys protection by CM callback. Drivers loading guarded by LoadImageNotify callback. Banning performed by filenames and specific data found inside binaries (located in Directory[IMAGE_DIRECTORY_ENTRY_SECURITY]), this is additional blacklist for case if drivers names will be different.
KProcess Hacker VirusBuster Ltd Beijing Jiangmin SUNBELT SOFTWARE Sunbelt Software K7 Computing Immunet Corporation Beijing Rising G DATA Software Quick Heal Technologies Comodo Security Solutions Sophos Plc Anti - Virus CJSC Returnil Software NovaShield Inc antimalware BullGuard Ltd Check Point Software Technologies Ltd Symantec Corporation Panda Software International Kaspersky Lab FRISK Software International Ltd ESET, spol. s r.o. Doctor Web Ltd Comodo Inc BitDefender SRL BITDEFENDER LLC Avira GmbH GRISOFT, s.r.o. PC Tools ALWIL Software Agnitum Ltd
FakeAV protected by two SSDT hooks + ObRegisterCallback for newest versions
Code: Select allntoskrnl.exe-->NtOpenProcess, Type: Address Change 0x805717C7-->F32FA213 [C:\WINDOWS\System32\Drivers\40ac432e68c8aa52.sys]
ntoskrnl.exe-->NtOpenThread, Type: Address Change 0x8058A1BD-->F32FA33C [C:\WINDOWS\System32\Drivers\40ac432e68c8aa52.sys]
In sum this is more malware protection agent driver than rootkit, because it has 0 stealth.
Is it possible to break all the callback with bruteforce?
This is at least not wise.