# Drivers List

## Overview

**Evidence:** Drivers List\
**Description:** Collect driver list\
**Category:** System\
**Platform:** windows\
**Short Name:** dri\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Kernel drivers are privileged software components that run in kernel mode with full access to system memory and hardware. They are used for device drivers, file system filters, security software, and system utilities.

Malicious drivers (rootkits) can hide processes, files, network connections, and other artifacts from user-mode tools. Enumerating loaded drivers is critical for detecting kernel-level threats and understanding the system's low-level software stack.

## Data Collected

This collector gathers structured data about drivers list.

### Drivers List Data

| Field            | Description                           | Example                              |
| ---------------- | ------------------------------------- | ------------------------------------ |
| `FilePath`       | Full path to the driver file          | C:\Windows\System32\drivers\ntfs.sys |
| `FileName`       | Driver file name                      | ntfs.sys                             |
| `FileSize`       | Size of the driver file               | 1048576                              |
| `FileModified`   | Last modified timestamp               | 2023-10-15T14:30:00                  |
| `FileAccessed`   | Last accessed timestamp               | 2023-10-15T15:45:00                  |
| `FileCreated`    | Creation timestamp                    | 2023-10-01T10:00:00                  |
| `Hash`           | Hash of the driver file               | SHA256:a1b2c3...                     |
| `Signature`      | Digital signature information         | Microsoft Windows                    |
| `SignatureValid` | Whether signature is valid            | TRUE                                 |
| `BaseAddress`    | Memory address where driver is loaded | 0xFFFFF80012340000                   |
| `Size`           | Size of loaded driver in memory       | 1048576                              |

## Collection Method

This collector uses IOCTL calls to enumerate loaded kernel modules and retrieves detailed information about each driver.

## Forensic Value

Driver enumeration is essential for detecting rootkits and kernel-level malware. Investigators use this data to identify unsigned or suspicious drivers, detect kernel-mode persistence, validate system integrity, identify outdated or vulnerable drivers, and detect malicious kernel modules. The memory addresses and load order can reveal driver injection or manipulation attempts.