Deep Kernel Visibility: Unveiling Surveyor, the Ultimate Windows Profiling Tool

by ddos · January 10, 2026

Surveyor

Advanced Windows kernel analysis and system profiling tool. Provides comprehensive visibility into kernel callbacks, ETW sessions, driver analysis, and system state through both userland APIs and optional kernel driver integration.

Key features

Kernel Callback Analysis: Enumerate process, thread, image load, and registry callbacks using symbol resolution
ETW Session Discovery: Identify active ETW sessions, consumers, and trace providers with kernel-level visibility
Security Product Detection: Detect EDR/AV products through callback enumeration and minifilter analysis
Symbol Resolution: Microsoft symbol server integration for resolving Windows kernel symbols
Driver Analysis: Comprehensive kernel module enumeration with gap detection for hooks
Memory Forensics: Direct kernel memory access for advanced analysis and pattern detection

Core Components

Data Collectors

System: GetVersionExW, GetSystemInfo, GlobalMemoryStatusEx
Processes: CreateToolhelp32Snapshot, Process32FirstW/NextW, module enumeration
Drivers: NtQuerySystemInformation(SystemModuleInformation), registry parsing
Services: Service Control Manager APIs, configuration queries
Network: GetAdaptersAddresses, GetExtendedTcpTable, routing tables
Registry: Security hive enumeration, persistence location scanning
Filesystem: Drive enumeration, security software directory detection
AMSI: Provider registry analysis, COM object introspection
ETW: TdhEnumerateProviders, session enumeration, consumer analysis, autologger configs
Callbacks: Kernel callback table enumeration via symbol resolution and driver communication
Minifilters: Filesystem operation callback enumeration and classification