Modern Windows rootkits assume that analysts will: enumerate drivers using linked lists trust Windows APIs rely on “normal” system views Volatility 3’s windows.drivermodule plugin was built specifically to break that assumption. What windows.drivermodule Actually Does This plugin performs cross-view analysis for drivers , similar in spirit to: psxview → processes svcdiff → services But focused entirely on kernel drivers . Step 1: Memory Scanning Scans memory for structures as

Drivers are the cleanest way for malware to own a Windows system. Once malicious code executes as a driver: it runs in kernel mode it can hook system calls it can hide processes, files, and registry keys it can tamper with security tools This is why rootkits almost always involve drivers. How Windows Tracks Drivers Windows maintains multiple views of loaded drivers, just like it does with processes. Rootkits exploit this. 1. The Linked List (Normal View) Tracks currently load

If SSDT hooking shows you how rootkits control behavior psxview shows you how they hide existence. This plugin is one of the most important tools for rootkit detection in memory. What psxview Really Does psxview is a compound plugin. It doesn’t invent new data — it compares existing views of processes gathered using different kernel mechanisms . Why this matters: Windows tracks processes in multiple places : linked lists PID tables thread structures user-session data desktop

Now we’re stepping into kernel territory. And once malware gets here, things get serious. One of the biggest wins for kernel malware is SSDT hooking. If you understand this, you understand how rootkits control the entire system. What Is the SSDT The System Service Descriptor Table (SSDT) is basically a lookup table used by the Windows kernel. When a process asks Windows to do something like: open a file read registry data enumerate processes allocate memory …the kernel looks

This plugin is honestly one of the best examples of why Volatility still matters in memory forensics. Why? Because instead of trusting a single data source, ldrmodules does something very smart —it cross-checks multiple memory structures and looks for inconsistencies. And malware absolutely hates consistency. What ldrmodules Is Actually Doing When we’re looking for suspiciously loaded code inside a process, there isn’t just one place to look. Windows tracks loaded DLLs in mu