A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1091  by qqq
 Fri May 14, 2010 8:22 am
Hello, Everyone!
When I use RkU 3.8.388.590 on the machine with TrendMicro OfficeScan installed in the page "Kernel Callbacks" it shows callback for SeFileSystem set by mrxsmb.sys. Can you tell me that does this callback mean?
 #1098  by qqq
 Fri May 14, 2010 1:19 pm
Thanks for the reply.
RootRepeal GUI crashes when I scan SSDT or Callbacks (dump in attach). Hope, this will be helpfull.
You do not have the required permissions to view the files attached to this post.
 #1099  by EP_X0FF
 Fri May 14, 2010 1:21 pm

This callback is normal behavior of mrxsmb.sys.
For example TokenMon from Sysinternals also uses this kind of callback.