Drivers List

Overview

Evidence: Drivers List Description: Collect Driver List Category: System Platform: Windows Short Name: dri Is Parsed: Yes - Driver information is parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Kernel drivers are privileged software components that run in kernel mode with full access to system memory and hardware. They are used for device drivers, file system filters, security software, and system utilities.

Malicious drivers (rootkits) can hide processes, files, network connections, and other artifacts from user-mode tools. Enumerating loaded drivers is critical for detecting kernel-level threats and understanding the system's low-level software stack.

Data Collected

Collection Method

This collector uses IOCTL calls to the kernel driver to enumerate system modules via IoctlGetSystemModules(). For each loaded driver, it:

• Retrieves the driver's file path from kernel structures

• Normalizes the path to a full DOS path

• Searches in System32\drivers if path is relative

• Collects file information and digital signature data

Collection Method

This collector uses IOCTL calls to enumerate loaded kernel modules and retrieves detailed information about each driver.

Usage

Driver enumeration is essential for detecting rootkits and kernel-level malware. Investigators use this data to identify unsigned or suspicious drivers, detect kernel-mode persistence, validate system integrity, identify outdated or vulnerable drivers, and detect malicious kernel modules. The memory addresses and load order can reveal driver injection or manipulation attempts.

Known Limitations

• Only enumerates currently loaded drivers

• Requires kernel driver access

• Not available on ARM64 systems

• Some boot drivers may not be fully captured

Notes

Pay special attention to drivers without valid digital signatures, drivers loaded from unusual locations, and drivers with suspicious names or attributes. Cross-reference driver hashes with known-good baselines.