Kernel-Snooping

Removing Process Creation Kernel Callbacks:

Targeting EDR registered callbacks for Process creation(PsSetCreateProcessNotifyRoutine).

External componenets used:

vulnerable driver MSI Afterburner RTCore64 (CVE-2019–16098) is used.

Notes:

Currently no built in functionality provided for loading the driver since the point here is mainly how to locate array(PspCreateProcessNotifyRoutine) which holds the callbacks.
Any vulnerable driver which provides read-what-where functionality will work(No shortage of those :)).

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
kernel_snooping		kernel_snooping
phys_poc		phys_poc
x64/Release		x64/Release
README.md		README.md
kernel_snooping.sln		kernel_snooping.sln
ntquery.exe		ntquery.exe
processhacker-2.38-setup.7z		processhacker-2.38-setup.7z

Provide feedback