O'Reilly logo

Learning Malware Analysis by Monnappa K A

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

5. Listing Kernel Modules

To list the kernel modules, you can use the modules plugin. This plugin relies on walking the doubly linked list of metadata structures (KLDR_DATA_TABLE_ENTRY) pointed to by PsLoadedModuleList (this technique is similar to walking the doubly linked list of _EPROCESS structures, as described in Chapter 10, Hunting Malware Using Memory Forensics, in the Understanding ActiveProcessLinks section). Listing kernel modules may not always help you identify the malicious kernel driver out of the hundreds of loaded kernel modules, but it can be useful for spotting a suspicious indicator such as a kernel driver having a weird name, or kernel modules loading from non-standard paths or the temporary paths. The modules plugin ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required