Yeah, sort of but will use registry persistence to bypass registry notifications.
Or a botkiller may not remove it but simply quarantine it via unhooking it's rootkit using custom LoadLibrary() function. Then suspend the process via filtering the EIP so that the EIP will never land on the Process memory space to prevent any binary execution from happening.
Obviously removing is better but I did make the above feature too, useful for debugging.
I've just looked at the image in the first post and skipped all the pages.
And that's what I found:
SpaceWorm wrote:
Yeah, sort of but will use registry persistence to bypass registry notifications.
Or a botkiller may not remove it but simply quarantine it via unhooking it's rootkit using custom LoadLibrary() function. Then suspend the process via filtering the EIP so that the EIP will never land on the Process memory space to prevent any binary execution from happening.
Obviously removing is better but I did make the above feature too, useful for debugging.
I just realised:
If you have an object's distance form a single point, the object could be in an infinite number of places all on the circumference of a circle with the distance's radius.
If you have an object's distance from two points, it could only be in one of two places.
If you have an object's distance from three points, you have its exact location.
If you have an object's distance from n points (n>3) you will still have its exact location.
That is a massive scale down: infinity, two, one, one, one....