Discovering footprints of loaded and unloaded kernel mode drivers

Background: There are vulnerable kernel mode drivers for Windows systems, which can be loaded into the system for various purposes. Loaded kernel mode drivers leave traces in the system. Anti-cheat software for video games, for example, look for vulnerable driver traces in various parts of the system because they are used for cheating. The logic used by anti-cheat software could perhaps be (or were already) used by anti-rootkit tools or rootkits themselves.

I am wondering where traces are left after drivers are loaded and then unloaded. From my research, I found these two places in Windows NT kernel, where unloaded drivers leave traces:

  1. PiDDBCacheTable
  2. MmUnloadedDrivers

(Just to let you know, those are undocumented data structures) Where else could they leave traces? Is it possible for me to learn it without reverse-engineering the Windows kernel by myself?

Well, there’s this.

Not sure what else you’re asking.

Peter

@“Peter_Viscarola_(OSR)” said:
Well, there’s this.

Not sure what else you’re asking.

Peter

This information is incomplete. Windows Events and PiDDBCacheTable also contain information regarding unloaded kernel modules. You are supposed to be the guru of kernel mode development. It is sad that you don’t know much.

Bye bye.

@Tim_Roberts said:
Bye bye.

?

@JordanPietka said:

@Tim_Roberts said:
Bye bye.

?

Hm, you offend the folks who try to help you, and then wonder why they stop replying to you? Really?

@JordanPietka said:

?

Peter owns the company that provides the equipment for this mailing list. It’s his yard. I’m guessing you won’t be here for long.

Look guys, for Windows kernel, a lot of information is missing. It is so incredibly frustrating that there is no information available publicly. So, people come to these forums and they cannot find information here as well.

Also, I didn’t say anything bad about Peter. I just said that it is sad that even Peter doesn’t know a lot of stuff well. This doesn’t mean Peter is unknowledgeable Person.

Also, I didn’t say anything bad about Peter. … This doesn’t mean Peter is unknowledgeable Person.

Maybe you weren’t paying attention, but what you literally typed was “It is sad that you don’t know much.” It is extremely difficult to spin that comment in a positive way.

Besides which, of course, you are being extremely unfair. There are vast amounts of information about the Windows kernel available publicly. The implementation details are still proprietary, and what you are asking for are very narrow implementation details that are unimportant to the vast majority of kernel drivers. I doubt there are more than 2 kernel developers within Microsoft who could address your question. They’re too busy making the system run. Security researchers and professional hackers probably have a clue, but they don’t publish their results in peer-reviewed journals.

@Tim_Roberts said:

Also, I didn’t say anything bad about Peter. … This doesn’t mean Peter is unknowledgeable Person.

Maybe you weren’t paying attention, but what you literally typed was “It is sad that you don’t know much.” It is extremely difficult to spin that comment in a positive way.

It’s called “banter”.

I have to remind everyone that we were all inexperienced once. Strange enough, but it has not yet been pointed out on this thread in so far…

Anton Bassov