Menu
Background: There are vulnerable kernel mode drivers for Windows systems, which can be loaded into the system for various purposes. Loaded kernel mode drivers leave traces in the system. Anti-cheat software for video games, for example, look for vulnerable driver traces in various parts of the system because they are used for cheating. The logic used by anti-cheat software could perhaps be (or were already) used by anti-rootkit tools or rootkits themselves.
I am wondering where traces are left after drivers are loaded and then unloaded. From my research, I found these two places in Windows NT kernel, where unloaded drivers leave traces:
(Just to let you know, those are undocumented data structures) Where else could they leave traces? Is it possible for me to learn it without reverse-engineering the Windows kernel by myself?
893
To my knowledge, ExpCovUnloadedDrivers is another function to detect unloaded drivers. But as far as I know, only drivers that use code coverage get added to this list.
144
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
