Threat Detection Suite (TDS)

System Architecture

The Threat Detection Suite (TDS) operates across two primary execution rings: Kernel-Mode (Ring 0) and User-Mode (Ring 3). This separation ensures that high-latency heuristic analysis does not induce system-wide DPC (Deferred Procedure Call) latency or bug checks (BSOD).

graph TD;
    subgraph Ring 0 [Kernel Mode]
        WFP[WFP Sublayer Filter] --> |Network Telemetry| EL[Event Lookaside List];
        MF[Minifilter Callback] --> |File I/O Telemetry| EL;
        OB[ObRegisterCallbacks] --> |Process Handle Req| EL;
        EL --> |InterlockedPushEntrySList| SList[Lock-Free SList Queue];
        IOCTL[IOCTL_TDS_GET_NEXT_EVENT] --> |InterlockedPopEntrySList| SList;
    end

    subgraph Ring 3 [User Mode]
        SList --> |Buffered IRP| Svc[TDS Analysis Service];
        Svc --> |ETW-Ti Session| ETW[EtwCollector];
        Svc --> |MEM_PRIVATE Scan| YARA[MemoryScanner / libyara];
        Svc --> |Shannon Entropy| Heuristics[HeuristicsEngine];
        Heuristics --> |Risk Score >= 70| IPS[IPSManager];
        IPS --> |NtTerminateProcess| Threat[Malicious Process];
        Heuristics --> |Log Event| Log[tds_threat_events.jsonl];
    end
    
    subgraph Automation [Response]
        Log --> |tail -f| Bot[SOC Bot python];
        Bot --> |HTTP POST| GitHub[GitHub Issues API];
    end

Loading

Core Implementation Details

1. Windows Filtering Platform (WFP)

The network filter operates independently of the standard Windows Firewall by registering a custom WFP Sublayer (TDS_SUBLAYER_GUID).

• Weight: Set to 0xFFFF, ensuring the TDS callouts inspect network traffic prior to third-party consumer filters.
• Loopback Exclusion: Drops traffic with the FWP_CONDITION_FLAG_IS_LOOPBACK flag at the BFE engine level, eliminating unnecessary Inter-Process Communication (IPC) noise.
• Protocol Precision: The callout targets FWPS_LAYER_DATAGRAM_DATA_V4 and V6. It intercepts UDP packets on port 53; payloads exceeding 512 bytes are actively dropped (FWP_ACTION_BLOCK), neutralizing DNS tunneling exfiltration.

2. Lock-Free Telemetry Queuing

Traditional KSPIN_LOCK synchronization in high-I/O environments (such as ransomware encrypting a drive) causes severe processor contention.

• Memory Allocation: The driver initializes an NPAGED_LOOKASIDE_LIST during DriverEntry. High-frequency callbacks allocate event buffers from this pool, guaranteeing constant-time, fragmentation-free allocation.
• Queueing: Events are pushed to an SLIST_HEADER using InterlockedPushEntrySList. The user-mode service retrieves them via IOCTL_TDS_GET_NEXT_EVENT using InterlockedPopEntrySList. This completely eliminates spinning waits.

3. Kernel Exception Handling (Anti-Fuzzing)

The TDSDispatchDeviceControl routine is hardened against user-mode fuzzing attacks.

• Structured Exception Handling (__try / __except(EXCEPTION_EXECUTE_HANDLER)) wraps all IRP buffer accesses.
• ProbeForRead and ProbeForWrite are strictly enforced for METHOD_NEITHER I/O.
• If a malicious process sends a corrupted pointer or oversized buffer length, the kernel catches the STATUS_ACCESS_VIOLATION and gracefully fails the IRP, preventing a Bug Check (BSOD).

4. Process Tamper Protection

Protection of critical processes (such as LSASS and the TDS user-mode service) is implemented via ObRegisterCallbacks.

• Signature Verification: IsLsass() relies on PsGetProcessSignatureLevel(). It demands a Microsoft signing level (>= 7) before comparing process paths. This defeats trivial path spoofing.
• Access Stripping: Handles requesting PROCESS_TERMINATE, PROCESS_VM_WRITE, PROCESS_SUSPEND_RESUME, or PROCESS_CREATE_THREAD against protected PIDs have those flags stripped from their DesiredAccess mask by the kernel.

5. Minifilter Reentrancy Prevention

To prevent infinite recursion deadlocks—where the EDR intercepts its own log writes—the driver implements requestor-awareness.

• TDSPreWriteCallback invokes FltGetRequestorProcess(). If the originating process is the TDS user-mode service, the IRP is skipped (FLT_PREOP_SUCCESS_NO_CALLBACK).
• All file operations utilize the FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO flag to avoid deadlocks with the Windows Memory Manager.

6. User-Mode Memory Scanning and YARA

The MemoryScanner class integrates libyara directly into the C++ runtime.

• It iterates through the virtual address space of running processes, specifically targeting MEM_PRIVATE pages with PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_READ protections.
• Direct Syscalls & Stack Pivoting: The scanner statically searches for 0x0F 0x05 (syscall) instructions outside of ntdll.dll boundaries, and uses NtQueryInformationThread to verify that the current stack pointer resides within the bounds defined by the Thread Environment Block (TEB).

7. Automated Incident Response (SOC Bot)

The tools/soc/soc_bot.py script provides real-time automated reporting.

• It performs a non-blocking tail on the tds_threat_events.jsonl log file.
• When an event with HIGH or CRITICAL severity is written by the HeuristicsEngine, the bot constructs a Markdown report and pushes it to the GitHub Issues API using standard HTTPS requests.
• The bot relies strictly on environment variables (GITHUB_TOKEN, TDS_LOG_PATH), containing no hardcoded local paths or credentials.