My short question is, that if I know that a driver is IRP hooked (for example at IRP_MJ_READ), how can I restore this entry to the original one? As I see, Xuetr/Pc Hunter can tell me the "original entry" of some drivers' major functions list (e.g. acpi, keyboard, atapi, etc), so there must be a way - maybe not for every device in the OS but for some specific drivers.
(So: that is not a problem to list the current entries and to find out which entry is hooked, I only have problems with finding out the original entries in "_DRIVER_OBJECT-MajorFunctions")
