[roblabla]

Microsoft's eBPF is a very different beast from Linux's eBPF. It is contained to very few subsystems (Currently network, filesystem to come) and doesn't have the same facilities Linux has with dynamic probes to hook arbitrary kernel functions.

Windows also has DTrace, which does support arbitrary kernel hooks, but it requires booting in a special mode with bcdedit /set dtrace ON, which makes it unusable for machines not under your direct control.

None of those give enough visibility in the kernel structures to fully subsume kernel mode drivers. And further, they don't allow some of the advanced capabilities that are provided by things like ProcessHacker, such as killing PPL, forcefully closing remote handles, and a bunch of other stuff that is only possible via a kernel driver.