D
DioProcess

Driver Enumeration

Ring 0

Enumerate all loaded kernel drivers with their base addresses, sizes, entry points, and file paths.

Overview

Driver enumeration provides a comprehensive view of all kernel-mode drivers loaded in the system. This is useful for identifying security products, rootkits, and understanding the kernel environment.

DriverInfo Structure

crates/callback/src/types.rs
pub struct DriverInfo {
    pub base_address: u64,      // Driver image base in kernel memory
    pub size: u64,              // Size of driver image
    pub entry_point: u64,       // DriverEntry address
    pub driver_object: u64,     // DRIVER_OBJECT address
    pub driver_name: String,    // Driver name (e.g., "\Driver\DioProcess")
    pub path: String,           // File path (e.g., "C:\Windows\System32\drivers\...")
    pub service_name: String,   // Service registry key name
}

Implementation

Algorithm
NTSTATUS EnumerateKernelDrivers(PDRIVER_INFO* Drivers, PULONG Count) {
    // Method 1: Walk PsLoadedModuleList (kernel's module list)
    PLIST_ENTRY ModuleList = PsLoadedModuleList;
    PLIST_ENTRY Entry = ModuleList->Flink;
    
    while (Entry != ModuleList) {
        PLDR_DATA_TABLE_ENTRY LdrEntry = CONTAINING_RECORD(
            Entry, 
            LDR_DATA_TABLE_ENTRY, 
            InLoadOrderLinks
        );
        
        Info->BaseAddress = (ULONG64)LdrEntry->DllBase;
        Info->Size = LdrEntry->SizeOfImage;
        Info->EntryPoint = (ULONG64)LdrEntry->EntryPoint;
        Info->Path = LdrEntry->FullDllName.Buffer;
        Info->DriverName = LdrEntry->BaseDllName.Buffer;
        
        Entry = Entry->Flink;
    }
    
    // Method 2: IoDriverObjectType enumeration
    // Walks the driver object directory for DRIVER_OBJECT pointers
    
    return STATUS_SUCCESS;
}

API

Usage
use callback::enumerate_kernel_drivers;

// Get all loaded drivers
let drivers: Vec<DriverInfo> = enumerate_kernel_drivers()?;

// Find security product drivers
let security_drivers: Vec<_> = drivers.iter()
    .filter(|d| {
        d.path.to_lowercase().contains("symantec") ||
        d.path.to_lowercase().contains("crowdstrike") ||
        d.path.to_lowercase().contains("defender")
    })
    .collect();

// Find drivers loaded from non-standard paths
let suspicious: Vec<_> = drivers.iter()
    .filter(|d| !d.path.to_lowercase().contains("windows\system32\drivers"))
    .collect();

IOCTL

IOCTLCodeDescription
ENUM_DRIVERS0x00222048Enumerate all loaded kernel drivers

UI Features

Access via Kernel Utilities tab → Drivers sub-tab:

  • Driver table — Name, Base Address, Size, Entry Point, Path
  • Sorting — Click column headers (default: by base address)
  • Search filter — Filter by name, path, or address
  • CSV export — Export to drivers.csv
  • Context menu — Copy Name, Address, Path, Size
  • Size formatting — Human-readable (KB/MB)

Common System Drivers

DriverPurpose
ntoskrnl.exeWindows kernel executive
FLTMGR.SYSFilesystem Filter Manager
CI.dllCode Integrity (DSE)
tcpip.sysTCP/IP network stack
ksecdd.sysKernel security support

Detecting Suspicious Drivers

Signs of potentially malicious drivers:

  • • Loaded from non-standard paths (not %SYSTEMROOT%\System32\drivers)
  • • No corresponding service registry key
  • • Unusually small or large size
  • • Obfuscated or random-looking names
  • • Missing or invalid file path

Driver Hiding

The DioProcess hypervisor can hide drivers from this enumeration. See Hypervisor > Process & Driver Hiding for details.

Use Cases

  • • Inventory all loaded kernel drivers
  • • Identify security product drivers
  • • Detect potentially malicious or unauthorized drivers
  • • Verify driver addresses for kernel debugging
  • • Compare loaded drivers against known-good baseline