|Informative Information for the Uninformed
A tool written previously named MODGREPPER by Joanna Rutkowska of invisiblethings.org used a signature based approach to detect hidden DRIVER_OBJECTs. This signature was later 'broken' by valerino described in a rootkit.com article titled "Please don't greap me!". Listed here are a few fields which a signature could be built upon to detect DRIVER_OBJECTs.
The following fields of the DRIVER_OBJECT can be validated by assuring they fall within the range of a loaded driver image such that:
DriverStart < FIELD < DriverStart + DriverSize.