I love 2:58's reference to the Sony rootkit scandal:
> It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory.
> It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory.
https://techcommunity.microsoft.com/t5/windows-blog-archive/...