How to remove Filemon driver from mem?
 

I know filemon keeps filem701.sys (I think) resident after exiting, but some Securom protected games detect it and will not run until I reboot, which is a pain.

How do I safely remove Filemons driver from mem so I can run Securom games without a reboot?

Using Filemon 7.03 on WinXP Pro.

Check the sysinternals forums. There is (at least) a thread regarding this issue, and the quick answer is "You can't".
There is no 100% safe way of unloading a kernel driver, that's why the author didn't implement this.
Your options seem to be:
- reboot to unload the driver
- patch the app+driver to avoid detection whenever you load it
- code your own almost-safe way to unload the driver (?)

Thanks Mkz, I suspected it wasn't going to be easy!

Patching seems the best solution, except I don't know what to patch nor how, unless it's a case of a bit of hexediting.

well first you need to know in wich way your game detect filemon
and even then you can patch. ;)

As giga said :
But you can try change Title Window of filemon and its name file. Some programs detect that by view list process which running in memory.

Good luck.

Not in this case. What is being detected is the driver, not the FileMon app. The driver remains even after the app is terminated, and the target still won't start.

You need at least to change the driver's name, that's the most straightforward way of detection. Rename the driver file - I believe it's a binary resource inside the app's exe. Also, the name of the device it creates should be changed, both in the .sys file, and in the app when it connects to the driver.

I don't know if they (still) work, but check the patches in this thread: http://forum.exetools.com/showthread.php?t=6645

MKz, those patches just patch the window name, not the driver.

The driver itself is digitally signed too, so tampering with it causes an 'invalid driver' message!! The driver is located in the filemon.exe between 0x19F90 and 0x2C3CF (v7.03 of filemon.exe).

Changing the name of the driver file 'filem701.sys' does not work either. There is reference to FILEMON701 in the file so this must be the connection between filemon and the driver, but seeing as you can't tamper with the driver it seems this is going to be impossible?

Seems my prayers have been answered, by Mr Gates no less!!

Apparently M$ acquired the Sysinternals website in July 2006 and their utilities are now available from M$:

One utility that caught my eye was ProcessMonitor:

This has an integrated FileMon and Regmon and does not interfere with Securom as I ran it while running a known Securom game that detects FileMon and it happily loaded while having it's activity logged by Proccess Monitor.

So for now I can monitor without 'certain' copy protections complaining!

heh and guess what securom will probably blacklist next...
but yeh, as mentioned by the others filemon and regmon do not kill the driver
(which they really should... its just bad coding not to do so)
so the only way to do it is reboot...

hmm actually, there is another way, but it'd be requiring hooks etc and faking
the driver wasn't running..