This is the notes taken from this article, all credit goes the person who made the article.

KernelMode Rootkits, Part 1 | SSDT hooks * Adlice Software

Driver Flow…

Untitled

What is SSDT (System Service Dispatch Table)

Before reading. I am thinking the SSDT is like PE’ Export Directory (AddressofFunctions), which is an array of function pointers which is in ntoskrnl.exe. So this might be similar to IAT hooking?

How EDR prevents the a malicious program to grab their hProcess ?

Filtering any attmpet to open a handle on the process by Detouring the execution flow of an API to filter function

KernelMode Rootkits: Part 2, IRP hooks

IRP (I/O Request Packet) -

I/O request packets - Windows drivers

Driver Stack

Driver stacks - Windows drivers

KernelMode Rootkits: Part 3, kernel filters

A kernel filter is a driver/device attached to another device, so that it’s inserted between 2 different layers of a driver stack.