Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 4» 2006.Jun


Next: Device Objects Up: Found An Object, Now Previous: Thread Objects   Contents

Driver Objects

Here is a brief list of things to check when scanning for DRIVER_OBJECT objects.

  • Compare against services found in the service control manager database.
  • Compare against a system call such as nt!NtQuerySystemInformation.
  • Is the object in the global system namespace?
  • Does the driver own any valid device objects?
  • Does the drive base address point to a valid MZ header?
  • Do the object's function pointer fields look correct?
  • Does DriverSection point to a valid nt!_LDR_DATA_TABLE_ENTRY?
  • Does DriverName or the LDR_DATA_TABLE_ENTRY have valid strings? zeroed? garbage?