[abas2run]

Hi

can any body help me find processes which loads driver in kernel memory with the help of Volatilty?
I mean I need to know each processes have loaded which drivers?
Modscan list the drivers with base address and size in physical memory, how can I find the owner then?

thanks

[EP_X0FF]

Hello,

I don't think this is specially stored anywhere, especially for direct NtLoadDriver. And if drivers were loaded by SCM (CreateService etc) you will have "services.exe" as loader.
But if memory contains pieces of virtual memory of executed processes and you have loaded drivers data you can try to find a cross-references, e.g. process A has a device link \Device\MyDriver and driver B has the same device created so you can assume they are linked and A loads B.