I'd like to stir (if possible) a discussion about pros/cons of WDF driver model VS WDM for rootkits and antivirus drivers. From what I've seen and from personal experience (though I'm still a noob) WDM is good in that you have to do most of the stuff manually and at the same time you are given the right foundational elements so it is like building a lego. On the other hand I haven't seen any WDF mentioning in terms of a rootkit being written in WDF ? Is there any particular reason why WDF and more specifically KMDF (and why not UMDF even?) are not widely (at all?) used for development of rootkit/security type of software ?
Obviously because drivers with rootkit-alike components are not usual drivers.
Thread moved.