5. Listing Kernel Modules
To list the kernel modules, you can use the modules
plugin. This plugin relies on walking the doubly linked list of metadata structures (KLDR_DATA_TABLE_ENTRY
) pointed to by PsLoadedModuleList
(this technique is similar to walking the doubly linked list of _EPROCESS
structures, as described in Chapter 10, Hunting Malware Using Memory Forensics,in the Understanding ActiveProcessLinks section). Listing kernel modules may not always help you identify the malicious kernel driver out of the hundreds of loaded kernel modules, but it can be useful for spotting a suspicious indicator such as a kernel driver having a weird name, or kernel modules loading from non-standard paths or the temporary paths. The modules
plugin lists the kernel modules in the order in which they were loaded, which means that if a rootkit driver was recently installed, you are very likely to find that module at the end of the list, provided the module is not hidden and the system was not rebooted...