[sbisson]

It’s not quite as bad as presented here; yes Microsoft is in the process of deprecating kernel mode drivers as part of its current security push, however it’s following Linux and implementing eBPF as a more secure alternative that runs mostly in user land and in a sandbox in kernel space. For the type of thing that this app does, it’s a logical change of direction that does not require the same level of EV code signing.

[roblabla]

Microsoft's eBPF is a very different beast from Linux's eBPF. It is contained to very few subsystems (Currently network, filesystem to come) and doesn't have the same facilities Linux has with dynamic probes to hook arbitrary kernel functions.

Windows also has DTrace, which does support arbitrary kernel hooks, but it requires booting in a special mode with bcdedit /set dtrace ON, which makes it unusable for machines not under your direct control.

None of those give enough visibility in the kernel structures to fully subsume kernel mode drivers. And further, they don't allow some of the advanced capabilities that are provided by things like ProcessHacker, such as killing PPL, forcefully closing remote handles, and a bunch of other stuff that is only possible via a kernel driver.