leviathan-driver 0.2.0

Windows kernel-mode EDR/XDR driver framework in Rust - callbacks, filters, detection, forensics
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

//! Kernel Callback Modules
//!
//! This module provides Windows kernel callback implementations for:
//! - Process creation/termination monitoring
//! - Thread creation/termination monitoring
//! - Image (DLL/EXE) load monitoring
//! - Object handle access control
//! - Registry operation filtering
//!
//! These callbacks are essential for EDR (Endpoint Detection and Response),
//! anti-virus, and security monitoring applications.

pub mod process;
pub mod thread;
pub mod image;
pub mod object;
pub mod registry;

use wdk_sys::NTSTATUS;

/// Initialize all kernel callbacks
///
/// # Safety
/// Must be called from DriverEntry or device initialization context
pub unsafe fn register_all_callbacks() -> Result<(), NTSTATUS> {
    // Register in order of dependency
    unsafe {
        process::register()?;
        thread::register()?;
        image::register()?;
        object::register()?;
        registry::register()?;
    }

    Ok(())
}

/// Unregister all kernel callbacks
///
/// # Safety
/// Must be called from driver unload context
pub unsafe fn unregister_all_callbacks() {
    // Unregister in reverse order
    unsafe {
        registry::unregister();
        object::unregister();
        image::unregister();
        thread::unregister();
        process::unregister();
    }
}