I don’t see how. How would the DRM code know to execute unless there is some process sitting there waiting for you to start to play protected content? It may very well be a part of some otherwise innocent process that raises no suspicion, like explorer.exe or something.
When a user launches a player application and opens an ASF file that has a protected audio stream and a protected video stream, the following steps must be performed:
1. The application creates the ASF media source and the protected media path (PMP) session. Media Foundation creates a PMP process.
2. The application creates a partial topology that contains an audio source node connected to the audio renderer, and a video source node connected to the enhanced video renderer (EVR). For the renderers, the application does not directly create the renderer. Instead, the application creates in the unprotected process an object known as an activation object. The PMP uses the activation object to create the renderers in the protected process. (For more information about activation objects, see Activation Objects.)
3. The application sets the partial topology on the PMP session.
4. The PMP session serializes the topology and passes it to the PMP host in the protected process. The PMP host sends the topology to the policy engine.
5. The topology loader calls IMFInputTrustAuthority::GetDecrypter on the ITAs and inserts the decrypters into the topology immediately downstream of the corresponding source nodes.
6. The topology loader inserts the audio and video decoders downstream of the decrypter nodes.
7.
The policy engine scans the inserted nodes to determine whether any implement the IMFTrustedOutput interface. The EVR and the audio renderer both implement IMFTrustedOutput, because they send data outside the PMP.
8.
Each ITA confirms that it is running inside a protected process by performing a cryptographic handshake with a protected environment kernel module.
9.
For each stream, the policy engine negotiates policy by getting a policy object from the ITA and passing it to the OTA. The OTA provides a list of the protection systems that it supports, and the policy object indicates which protection systems must be applied, along with the correct settings. The OTA then applies these settings. If it cannot do so, the content is blocked.