What types of security software can Joya Systems develop?

We develop kernel-mode security components including anti-malware file system filter drivers, process protection and whitelisting drivers, registry monitoring and tamper-prevention drivers, network filtering drivers using WFP, and ELAM (Early Launch Anti-Malware) drivers. We also build the kernel-mode sensor layer for EDR platforms.

Do you develop anti-malware drivers for Windows?

Yes. We have developed anti-malware kernel components including real-time file scanning minifilters, boot-time ELAM drivers certified through the Microsoft anti-malware program, and behavior monitoring components that track process, file, and network activity. We understand the Windows Anti-Malware Scan Interface (AMSI) and how to integrate with it correctly.

Can you help with endpoint detection and response (EDR) integration?

Yes. We build the kernel-mode telemetry components that power EDR platforms — process creation and termination callbacks, file system activity monitors, registry change notifications, and network connection sensors. These components are designed for high-throughput, low-latency event delivery with minimal impact on system performance.

Windows Kernel Security & Malware Analysis

Security & Malware

We understand the techniques the bad guys use.

Windows kernel security consulting sits at the intersection of two demanding disciplines: kernel-mode driver development and software security. Building effective security software for Windows, whether an antivirus engine, an EDR sensor, an anti-cheat driver, or a data loss prevention agent, requires the same kernel expertise as any other driver work. It also requires a working understanding of how attackers use kernel-mode techniques to evade detection, escalate privilege, and persist on compromised systems. Joya Systems has worked on both sides of this: building the security components that protect systems and analyzing the malicious code that attempts to subvert them.

Whether your product is based on white listing, black listing, active scan, or passive inspection we not only understand how to protect against malware, but also have the aptitude to efficiently and effectively inter-operate with the rest of the system and third party software.

Understanding security and how other components interact is key in building quality software. Let us handle the infrastructure and allow your team to focus on adding the core IP that separates you from competitors.

At the kernel level, effective security software relies on a set of well-defined interception points: file system minifilter callbacks for file content scanning, process and thread notification routines for process protection and whitelisting, registry callback routines for registry monitoring and tamper prevention, and Windows Filtering Platform (WFP) callout drivers for network-level filtering and inspection. We have developed production-grade components across all of these areas and understand how to write them correctly, including handling re-entrancy, avoiding deadlocks with the kernel's own lock hierarchy, and ensuring compatibility with other security products installed on the same machine.

We also have specific experience with Early Launch Anti-Malware (ELAM) drivers, which load before all other third-party drivers during the Windows boot sequence and allow a security product to classify boot drivers as good, bad, or unknown before they are initialized. ELAM development requires satisfying strict Microsoft certification requirements and working within significant size and capability constraints. On the detection and response side, we have built components that feed telemetry into Endpoint Detection and Response (EDR) platforms, implementing the kernel-mode sensors that capture process creation, file write, and network connection events with the fidelity and performance that EDR pipelines demand. Contact us to discuss your security product requirements, or see our full services overview including our reverse engineering, code review, and debugging services.

Windows Security Technologies

Modern Windows imposes several layers of protection specifically designed to prevent malicious or incompetent kernel-mode code from compromising the system. Understanding and working correctly within these technologies is a prerequisite for any kernel-mode security product.

PatchGuard (Kernel Patch Protection) detects unauthorized modifications to critical kernel data structures (the SSDT, IDT, MSRs, and kernel code sections) and triggers a bugcheck if tampering is found. Security software that previously relied on hooking these structures must use the supported, documented callback mechanisms instead. Driver Signature Enforcement (DSE) requires that all kernel-mode drivers be signed with a Microsoft-issued certificate; unsigned drivers will not load on modern 64-bit Windows without disabling Secure Boot. Secure Boot and HVCI (Hypervisor-Protected Code Integrity, also called Memory Integrity) extend this further: HVCI uses the hypervisor to make kernel memory non-writable, preventing runtime modification of kernel code even by code running at ring 0. Security products must be designed from the ground up to function correctly in an HVCI-enabled environment, which rules out several techniques that worked on earlier Windows versions.

We understand these technologies from both the defensive and analytical perspective. That means we can write security software that works correctly on current Windows versions and evaluate whether existing code, whether acquired software or contractor-built components, will function as expected under modern Windows security policies.

Security Engagement Scenarios

The most common engagement type is a security product company building kernel-mode agents: they need an ELAM driver, a file system minifilter, a network inspection component, or a process monitoring driver written or reviewed by engineers who understand both the security domain and the kernel development constraints. Incident response and malware analysis is another area: a suspected rootkit is found on a compromised machine, and the responding team needs someone who can analyze the driver binary using IDA Pro or Ghidra for static analysis and WinDbg for dynamic analysis, to understand what it does, how it achieved persistence, and what indicators to look for on other systems. Due diligence is a third scenario: a company considering acquiring a security software product wants an independent technical assessment of whether the driver component is soundly written, compatible with current Windows versions, and free of vulnerabilities that would create liability. Our reverse engineering and code review services directly support this work.

Frequently Asked Questions

Q: What types of security software can Joya Systems develop?: We develop kernel-mode security components including anti-malware file system filter drivers, process protection and whitelisting drivers, registry monitoring and tamper-prevention drivers, network filtering drivers using WFP, and ELAM (Early Launch Anti-Malware) drivers. We also build the kernel-mode sensor layer for EDR platforms.
Q: Do you develop anti-malware drivers for Windows?: Yes. We have developed anti-malware kernel components including real-time file scanning minifilters, boot-time ELAM drivers certified through the Microsoft anti-malware program, and behavior monitoring components that track process, file, and network activity. We understand the Windows Anti-Malware Scan Interface (AMSI) and how to integrate with it correctly.
Q: Can you help with endpoint detection and response (EDR) integration?: Yes. We build the kernel-mode telemetry components that power EDR platforms — process creation and termination callbacks, file system activity monitors, registry change notifications, and network connection sensors. These components are designed for high-throughput, low-latency event delivery with minimal impact on system performance. Get in touch to discuss your EDR architecture.

Technologies

File System Filter Drivers
Windows Driver Model (WDM) Drivers
KMDF Drivers
Storage Port and SCSI Miniport Drivers
HID Driver Development
NDIS Lightweight Filter drivers
Windows Filtering Platform Drivers
Security analysis and malware prevention
Reverse Engineering
Volume Managers
TDI Filters
NDIS protocol, IM, and Miniport Drivers
Winsock Direct and LSP
x64 Porting
.Net Technologies
ARM Processor
And more...

Developer Tools

What our customers say about us?
Read our customer testimonials to find out why our clients keep returning for their projects.
View Testimonials