Drivers List
Overview
Section titled “Overview”Evidence: Drivers List
Description: Collect driver list
Category: System
Platform: windows
Short Name: dri
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Kernel drivers are privileged software components that run in kernel mode with full access to system memory and hardware. They are used for device drivers, file system filters, security software, and system utilities.
Malicious drivers (rootkits) can hide processes, files, network connections, and other artifacts from user-mode tools. Enumerating loaded drivers is critical for detecting kernel-level threats and understanding the system’s low-level software stack.
Data Collected
Section titled “Data Collected”This collector gathers structured data about drivers list.
Drivers List Data
Section titled “Drivers List Data”| Field | Description | Example |
|---|---|---|
FilePath | Full path to the driver file | C:\Windows\System32\drivers\ntfs.sys |
FileName | Driver file name | ntfs.sys |
FileSize | Size of the driver file | 1048576 |
FileModified | Last modified timestamp | 2023-10-15T14:30:00 |
FileAccessed | Last accessed timestamp | 2023-10-15T15:45:00 |
FileCreated | Creation timestamp | 2023-10-01T10:00:00 |
Hash | Hash of the driver file | SHA256:a1b2c3… |
Signature | Digital signature information | Microsoft Windows |
SignatureValid | Whether signature is valid | TRUE |
BaseAddress | Memory address where driver is loaded | 0xFFFFF80012340000 |
Size | Size of loaded driver in memory | 1048576 |
Collection Method
Section titled “Collection Method”This collector uses IOCTL calls to enumerate loaded kernel modules and retrieves detailed information about each driver.
Forensic Value
Section titled “Forensic Value”Driver enumeration is essential for detecting rootkits and kernel-level malware. Investigators use this data to identify unsigned or suspicious drivers, detect kernel-mode persistence, validate system integrity, identify outdated or vulnerable drivers, and detect malicious kernel modules. The memory addresses and load order can reveal driver injection or manipulation attempts.