Driver Objects
Overview
Evidence: Driver Objects Description: Collect Driver Objects Information Category: System Platform: windows Short Name: drvobjinf Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Kernel driver objects contain detailed information about loaded drivers including their dispatch tables, which specify how the driver handles various I/O operations. Analyzing driver object details can reveal rootkit behavior, driver hooking, and malicious driver functionality.
The driver object includes function pointers for DriverInit, DriverStart, DriverUnload, major functions (IRP handlers), and Fast I/O routines. Anomalies in these function pointers can indicate driver compromise.
Data Collected
This collector gathers structured data about driver objects.
Driver Objects Data
ObjectAddress
Driver object address
0xFFFF8A8012345678
DriverSize
Size of driver in memory
524288
ServiceKeyName
Service registry key name
\Registry\Machine\System\CurrentControlSet\Services\MyDriver
DriverInit
DriverEntry address
0xFFFFF80012340000
DriverStart
Driver start routine address
0xFFFFF80012341000
DriverUnload
Driver unload routine address
0xFFFFF80012342000
DriverStartIo
StartIo routine address
0xFFFFF80012343000
AddDevice
AddDevice routine address
0xFFFFF80012344000
Collection Method
This collector:
Creates a snapshot of the
\Driverobject directoryFor each driver object, uses IOCTL to retrieve detailed information
Extracts driver object structure details
Records all function pointers from dispatch tables
Creates columns for all 28 Fast I/O functions
Creates columns for all 28 Major functions
Forensic Value
Driver object analysis enables advanced rootkit detection and driver security analysis. Investigators use this data to detect hooked driver dispatch tables, identify rootkit driver modifications, analyze driver functionality, detect inline hooking of drivers, verify driver integrity, identify suspicious function pointers, and perform advanced malware analysis.
Last updated
Was this helpful?