Introduction:

This is going to be a short blog on how attackers can bypass AV in the kernel mode, basically AV's tend to use callbacks functions from the kernel mode the AV software registers a callback in the kernel that will alert them when it is triggered in the usermode. If we're able to zero those registered callbacks then the AV will not be able to alerted.