Kernel-mode callbacks are registered via kernel APIs and are used to observe system-level events.
PsSetCreateProcessNotifyRoutine: process creation
PsSetLoadImageNotifyRoutine: image load tracking
ObRegisterCallbacks: handle/object access (e.g., opening lsass)
CmRegisterCallbackEx: registry access
These callbacks allow real-time detection and access control before the system completes the requested operation.
Process ghosting/hollowing to avoid detection
Handle duplication to bypass ObRegisterCallbacks
Tampering with kernel objects
Driver-level manipulation of callback tables (requires kernel access)
Last updated 8 months ago