[qqq]

Hello, Everyone!
When I use RkU 3.8.388.590 on the machine with TrendMicro OfficeScan installed in the page "Kernel Callbacks" it shows callback for SeFileSystem set by mrxsmb.sys. Can you tell me that does this callback mean?

[qqq]

RootRepeal shows nothing. Seems as somekind artifact.

[a_d_13]

Hello,

Actually, the "SeFileSystem" callback is registered by the Windows API SeRegisterLogonSessionTerminatedRoutine. The beta version of RootRepeal 2.0.0 posted here will show it on the "Callbacks" page.

Thanks,
--AD

[qqq]

Thanks for the reply.
RootRepeal GUI crashes when I scan SSDT or Callbacks (dump in attach). Hope, this will be helpfull.

[EP_X0FF]

Hello,

This callback is normal behavior of mrxsmb.sys.
For example TokenMon from Sysinternals also uses this kind of callback.

Regards.