Kernel Enumeration

Ring 0

Enumerate kernel data structures, callbacks, and drivers that are not accessible from usermode.

Requires Kernel Driver

All kernel enumeration features require the DioProcess kernel driver to be loaded.

Overview

The Kernel Enumeration features provide visibility into kernel structures that are normally hidden from usermode applications. This is useful for:

• Detecting rootkits that hide processes via DKOM
• Identifying EDR/AV minifilter drivers
• Understanding which drivers are monitoring system activity
• Security research and forensic analysis

UI Access

Access via the Kernel Utilities tab in the main navigation. Each enumeration type has its own sub-tab with filtering, sorting, and export capabilities.

Features

PspCidTable

Enumerate all processes and threads via kernel CID handle table

Minifilters

Enumerate and unlink filesystem minifilter drivers

Driver Enumeration

List all loaded kernel drivers with addresses and paths

Registry Callbacks

Enumerate CmRegisterCallbackEx registry notification callbacks

PatchGuard Safety

All enumeration operations are read-only and do not modify kernel structures. They do not trigger PatchGuard/KPP because:

• No code patching occurs
• No SSDT/IDT/GDT modifications
• Only data structure traversal via documented/semi-documented methods