The driver operates in ring 0, providing deep integration with the operating system kernel to monitor low-level operations.
Intercepts system calls, IRPs, and kernel callbacks.
Monitors process/thread creation, memory mapping, and device access.
Implements process protection (prevent tampering with EDR processes).
ETW (Event Tracing for Windows) integration.
File system mini-filters.
Registry callbacks via CmRegisterCallbackEx.
Difficult to bypass directly without exploiting vulnerabilities.
Can be bypassed via direct syscalls or undocumented NT functions.
Rootkits or signed vulnerable drivers are sometimes used for driver-level evasion.
Last updated 8 months ago