While discussing the driverscan plugin, I had mentioned that driverscan gets module information from the DRIVER_OBJECT structure. Are you wondering what the DRIVER_OBJECT structure is? This will become clear soon. In this section, you will understand the interaction between the user-mode and kernel-mode components, the role of the device driver, and its interaction with the I/O manager. Typically, a rootkit consists of a user-mode component (EXE or DLL) and a kernel mode component (device driver). The user-mode component of the rootkit communicates with the kernel-mode components, using a specific mechanism. From a forensics standpoint, it is essential to understand how these communications work and the components involved. ...