In particular, if you rename the Sony drivers, then start the original, followed by the copy, then stop the original, followed by the copy, Windows systems fail. Why? Because when they load they do system call hooking, inserting themselves between the system call table and the driver that should be called for that API. But when you do it twice, each driver inserts itself at the top. So you have:
Table->module0 (original module)But when you unload them in FIFO order (module1, module2), instead of LIFO order (module2, module1), it doesn't get cleaned up properly. When module2 is unloading, it restores the contents of the system call table to what it was when it loaded (module1), but module1 had already been unloaded. The table entry now points at the address where module1 was - but no longer is. Boom.
Labels: Cyber/IP Law