Drivers List
Overview
Evidence: Drivers List Description: Collect driver list Category: System Platform: windows Short Name: dri Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Kernel drivers are privileged software components that run in kernel mode with full access to system memory and hardware. They are used for device drivers, file system filters, security software, and system utilities.
Malicious drivers (rootkits) can hide processes, files, network connections, and other artifacts from user-mode tools. Enumerating loaded drivers is critical for detecting kernel-level threats and understanding the system's low-level software stack.
Data Collected
This collector gathers structured data about drivers list.
Drivers List Data
FilePath
Full path to the driver file
C:\Windows\System32\drivers\ntfs.sys
FileName
Driver file name
ntfs.sys
FileSize
Size of the driver file
1048576
FileModified
Last modified timestamp
2023-10-15T14:30:00
FileAccessed
Last accessed timestamp
2023-10-15T15:45:00
FileCreated
Creation timestamp
2023-10-01T10:00:00
Hash
Hash of the driver file
SHA256:a1b2c3...
Signature
Digital signature information
Microsoft Windows
SignatureValid
Whether signature is valid
TRUE
BaseAddress
Memory address where driver is loaded
0xFFFFF80012340000
Size
Size of loaded driver in memory
1048576
Collection Method
This collector uses IOCTL calls to enumerate loaded kernel modules and retrieves detailed information about each driver.
Forensic Value
Driver enumeration is essential for detecting rootkits and kernel-level malware. Investigators use this data to identify unsigned or suspicious drivers, detect kernel-mode persistence, validate system integrity, identify outdated or vulnerable drivers, and detect malicious kernel modules. The memory addresses and load order can reveal driver injection or manipulation attempts.
Last updated
Was this helpful?