Dll Injector — Kernel

Drivers communicate via IRPs. A malicious driver can hook the IRP handlers of legitimate drivers (like the filesystem driver). When the OS tries to load a legitimate DLL, the malicious driver intercepts the request and returns a handle to the malicious DLL instead.

Modern EDRs and anti-cheats (EasyAntiCheat, BattlEye, CrowdStrike, SentinelOne) monitor: kernel dll injector

Drivers operate in system context. You can inject into any process, regardless of session ID (e.g., Session 0 isolation isn’t a barrier). Drivers communicate via IRPs