Using Memory Analysis to Detect EDR-Nullifying Malware

This Volexity analysis describes AVBurner, a kernel-space evasion tool tied to an APT (SnakeCharmer/Earth Longzhi) that disables EDR/AV process-creation callbacks by using a vulnerable driver (RTCore64.sys) to patch the PspCreateProcessNotifyRoutine callback array; the report explains the internals of the Windows callback mechanism, demonstrates detection via Volatility 3 and Volexity Volcano, lists IOCs (including targeted SYS metadata and the vulnerable driver), and recommends monitoring for BYOVD drivers and applying Microsoft driver-block mitigations.