Driver Objects

Overview

Evidence: Driver Objects Description: Collect Driver Objects Information Category: System Platform: Windows Short Name: drvobjinf Is Parsed: Yes - Driver object structures parsed Sent to Investigation Hub: Yes Collect File(s): No

Background

Kernel driver objects contain detailed information about loaded drivers including their dispatch tables, which specify how the driver handles various I/O operations. Analyzing driver object details can reveal rootkit behavior, driver hooking, and malicious driver functionality.

The driver object includes function pointers for DriverInit, DriverStart, DriverUnload, major functions (IRP handlers), and Fast I/O routines. Anomalies in these function pointers can indicate driver compromise.

Data Collected

Collection Method

This collector:

• Creates a snapshot of the \Driver object directory

• For each driver object, uses IOCTL to retrieve detailed information

• Extracts driver object structure details

• Records all function pointers from dispatch tables

• Creates columns for all 28 Fast I/O functions

• Creates columns for all 28 Major functions

Usage

Driver object analysis enables advanced rootkit detection and driver security analysis. Investigators use this data to detect hooked driver dispatch tables, identify rootkit driver modifications, analyze driver functionality, detect inline hooking of drivers, verify driver integrity, identify suspicious function pointers, and perform advanced malware analysis.

Known Limitations

• Requires kernel driver

• Interpretation requires advanced kernel knowledge

• Function addresses are system-specific

• Only captures current state

• Very technical data

Notes

Anomalous function pointers (pointing outside driver image or to unusual locations) can indicate rootkit hooking. Compare function addresses with driver base address and size to detect hooks.