Tech Analysis: CrowdStrike’s Kernel Access and Security Architecture
https://www.crowdstrike.com/blog/tech-analysis-kernel-access-security-architecture/
Interesting explainer about the architectural design decisions of #CrowdStrike, focusing mainly on the reasons for moving code to the kernel.
I find it curious that they talk about “User-Mode-Only Security Products” in the context of tamper protection: AV’s tend to have kernel components and if my observations at the time were correct they provided protection for user processes even before PPL. I’m not Ionescu enough to know if such protections would work with KPP&co though…