D
DioProcess

Callback Enumeration

Enumerate registered kernel callbacks to identify EDR/AV hooks and security product registrations.

Callback Types

Process Callbacks

PsSetCreateProcessNotifyRoutineEx

Registered by AV/EDR to monitor process creation and termination.

Thread Callbacks

PsSetCreateThreadNotifyRoutine

Monitor thread creation across all processes.

Image Load Callbacks

PsSetLoadImageNotifyRoutine

Monitor DLL/EXE loading — commonly used for injection detection.

Object Callbacks

ObRegisterCallbacks

Monitor handle operations (create/duplicate) for process and thread handles. Shows pre/post operation callbacks, altitude, and monitored operations.

Registry Callbacks

CmRegisterCallbackEx

Monitor registry operations (create, open, set, delete, rename, query).

Callback Information

For each callback, the driver returns:

  • Index — Callback slot index (0-63)
  • Callback Address — Kernel address of the callback function
  • Module Name — Driver that registered the callback (e.g., WdFilter.sys)
  • Module Base — Base address of the owning module
  • Offset — RVA within the module

Object Callback Details

Object callbacks provide additional information:

  • Altitude — Callback priority (higher = called first)
  • Pre-Operation Callback — Called before handle operation
  • Post-Operation Callback — Called after handle operation
  • Object Type — Process or Thread
  • Operations — Handle Create, Handle Duplicate, or both

Callback Removal

Callbacks can be removed or restored via context menu:

  • Remove Callback — Unregister the callback (zeros the slot)
  • Restore Callback — Re-register a previously removed callback

Usage

  1. Navigate to Kernel Enumeration tab
  2. Select Callback Enumeration sub-tab
  3. Click callback type buttons (Process, Thread, Image, Object, Registry)
  4. Use search filter to find specific modules or addresses
  5. Right-click for context menu actions

Common EDR/AV Modules

WdFilter.sys (Windows Defender)SentinelMonitor.sysCarbonBlackK.sysesensor.sys (ESET)mfeaskm.sys (McAfee)symefasi.sys (Symantec)CyOptics.sys (Cylance)csagent.sys (CrowdStrike)

IOCTLs

IOCTLCode
ENUM_PROCESS_CALLBACKS0x809
ENUM_THREAD_CALLBACKS0x80A
ENUM_IMAGE_CALLBACKS0x80B
ENUM_OBJECT_CALLBACKS0x810
ENUM_REGISTRY_CALLBACKS0x81E