A forum for reverse engineering, OS internals and malware analysis 

 #33134  by JordanPietka
 Sat Aug 10, 2019 6:28 am
Background: There are vulnerable kernel mode drivers for Windows systems, which can be loaded into the system for various purposes. Loaded kernel mode drivers leave traces in the system. Anti-cheat software for video games, for example, look for vulnerable driver traces in various parts of the system because they are used for cheating. The logic used by anti-cheat software could perhaps be (or were already) used by anti-rootkit tools or rootkits themselves.

I am wondering where traces are left after drivers are loaded and then unloaded. From my research, I found these two places in Windows NT kernel, where unloaded drivers leave traces:

  • PiDDBCacheTable
  • MmUnloadedDrivers
Just to let you know, those are undocumented data structures.
Where else could they leave traces? Is it possible for me to learn it without reverse-engineering the Windows kernel by myself?
 #33135  by Brock
 Sat Aug 10, 2019 9:48 pm
Tags from pool memory that has not been deallocated and registry values that may have been left behind are another couple of potential areas to investigate. Does not matter if the driver is loaded normally or sideloaded off a vulnerable driver in the system, there can be quite a bit of artifacts left behind, especially seen in full physical memory dumps.
 #33138  by JordanPietka
 Sun Aug 11, 2019 8:32 am
EP_X0FF wrote:It is depends on what you want to achieve. Currently it looks like you are either cheat or anti-cheat developer. No malware works in a different way.
I am not an anti-cheat or cheat developer. I am a full time student and work part-time as a full-stack (Python, SQLite and Angular) developer. However, I am extremely interested in kernel mode development, in particular in anti-cheat software.
I am not sure if you allow discussion or questions regarding these topics. Please do let me if such questions or discussions are welcome here.