• Step 1: Reviewed DriverEntry (0x140001000) to record the device pair \Device\KApcHelper1 / \DosDevices\KApcHelperLink1, blanket dispatch table, and registration of ProcessCreateNotifyHandler plus a dummy thread notify hook.
• Step 2: Traced the init path into ResolveKernelApis (0x140001244) and LocateThreadFlagSetterPattern (0x1400014B0) to understand which kernel services and hidden thread helpers the driver depends on.
• Step 3: Decompiled DeviceControlDispatcher (0x140001B70) to map IOCTLs, uncover the handshake scheme, and note how every command is obfuscated by the HandshakeSeed.
• Step 4: Followed the command flow into HandleHandshakeSeed (0x140001124) to confirm token generation/validation and the use of HandshakeValidated as a global gate.
• Step 5: Expanded the termination path through TerminateProcessIfAlive (0x14000169C) → TerminateProcessThreads (0x140001980) → ApcProcessKillRoutine (0x1400011C0) / SystemThreadKillWorker (0x1400011E0) to document both kill techniques and their cleanup helpers.
• Step 6: Inspected ProcessCreateNotifyHandler (0x140001800) and PatchThreadFlagsAndTerminate (0x140001864) to correlate the on-create kill/suspend modes with the handshake-controlled flags.

Function Mapping Table

Original Name	New Name	Address	Description
sub_140001244	ResolveKernelApis	0x140001244	Grabs pointers to Ps*/Zw*/Ke routines needed for
process manipulation.
sub_140001600	LookupSystemRoutine	0x140001600	Wrapper around MmGetSystemRoutineAddress.
sub_1400014B0	LocateThreadFlagSetterPattern	0x1400014B0	Pattern scans near
PsTerminateSystemThread to recover an internal thread flag setter.
sub_14000159C	ScanPatternRange	0x14000159C	Byte-pattern search helper used by the locator.
sub_140001124	HandleHandshakeSeed	0x140001124	Generates, returns, and validates the shared
secret that unlocks commands.
sub_140001B70	DeviceControlDispatcher	0x140001B70	IOCTL handler implementing the covert
protocol and dispatching process control ops.
sub_140001980	TerminateProcessThreads	0x140001980	Kills a target via queued APCs or a helper
system thread/job object.
sub_14000169C	TerminateProcessIfAlive	0x14000169C	Checks exit status then invokes the kill
routine with the requested method.
sub_14000162C	ResumeProcessIfAlive	0x14000162C	Resumes active processes through
PsResumeProcess.
sub_140001664	SuspendProcessIfAlive	0x140001664	Suspends active processes through
PsSuspendProcess.
sub_1400016D0	KillProcessViaJobCleanup	0x1400016D0	Terminates current process/job objects
and closes handles safely.
sub_1400011C0	ApcProcessKillRoutine	0x1400011C0	Kernel APC routine that frees context, kills
the process, then calls PatchThreadFlagsAndTerminate.
sub_1400011E0	SystemThreadKillWorker	0x1400011E0	Worker entry for system threads spawned to
kill a process.
sub_140001200	CloseHandleSafely	0x140001200	Clears handle attributes and closes handles via
Ob APIs.
sub_140001800	ProcessCreateNotifyHandler	0x140001800	Ps notify callback that blocks, kills,
or suspends new processes.
sub_140001864	PatchThreadFlagsAndTerminate	0x140001864	OS-specific KTHREAD flag patcher that
forces termination via PsTerminateSystemThread.
sub_140001B50	DefaultIrpComplete	0x140001B50	Default IRP handler returning success.
sub_140001ED0	GatherCpuFeatures	0x140001ED0	Captures CPUID/XGETBV features into
CpuFeatureFlags.

Behavioral Analysis

• Capabilities: Driver exposes IOCTLs (0x222094/98/9C/A0) that kill, suspend, or resume arbitrary processes and configures a process-create hook that blocks, kills, or suspends new launches at will (DeviceControlDispatcher 0x140001B70, ProcessHookMode values).
• Implementation: After handshake, TerminateProcessThreads (0x140001980) either spawns a privileged system thread (PsCreateSystemThread) or walks every thread ID queuing APCs that execute ApcProcessKillRoutine (0x1400011C0); the APC manipulates KTHREAD flags via the pattern-found InternalThreadFlagSetterPtr and then calls KillProcessViaJobCleanup (0x1400016D0) to terminate job handles.
• Implementation (Create Hook): ProcessCreateNotifyHandler (0x140001800) applies ProcessHookMode commands (100×–113× the handshake) to decide whether to fail creation outright, kill the new process (system thread vs APC variants), or leave it suspended, writing failure codes back to CreationStatus.
• Command Protocol: Handshake IOCTL 0x222088 drives HandleHandshakeSeed (0x140001124); clients must send -1 to receive a HandshakeSeed, then echo that seed (or multiples for mode changes) to flip HandshakeValidated and obfuscate subsequent operands (PID passed as seed * pid).
• Execution Flow: DriverEntry (0x140001000) resolves sensitive Ps/Zw APIs, registers ProcessCreateNotifyHandler, nullifies unload support, and exposes the device; once a client authenticates, DeviceControlDispatcher unlocks the destructive process-control verbs and global hook toggles.

Evidence Summary

• DriverEntry (0x140001000) sets DriverUnload = 0, registers ProcessCreateNotifyHandler, and builds \Device\KApcHelper1, showing the driver is designed to stay resident while exposing a control surface.
• DeviceControlDispatcher (0x140001B70) enforces HandshakeValidated, decodes IOCTLs (0x222088– 0x2220A0), and divides client operands by HandshakeSeed before calling Ps APIs, evidencing an intentionally covert protocol.
• HandleHandshakeSeed (0x140001124) derives a pseudo-random seed from system time, stores it in HandshakeSeed, and only flips HandshakeValidated when the caller replays the correct token, gating all destructive operations.
• TerminateProcessThreads (0x140001980) allocates APC contexts, walks 163,838 thread IDs, queues ApcProcessKillRoutine, and otherwise launches a system thread that calls ZwTerminateProcess and job-object APIs, providing concrete kill mechanisms.
• ProcessCreateNotifyHandler (0x140001800) checks ProcessHookEnabled, interprets ProcessHookMode, and forces new processes to fail, terminate, or suspend by calling TerminateProcessIfAlive / SuspendProcessIfAlive, confirming persistent process-suppression behavior.
• PatchThreadFlagsAndTerminate (0x140001864) computes OS-specific KTHREAD offsets, flips internal flags, and invokes PsTerminateSystemThread, demonstrating low-level tampering to guarantee thread death.

Verdict Malicious driver: it exposes a hidden handshake-protected control channel that weaponizes privileged Ps/Zw routines to terminate, suspend, and block processes system-wide, with additional hooks that automatically neutralize new processes—behavior consistent with a kernel-mode kill-switch or rootkit component.