top of page
Search

Volatility Plugins — Plugin windows.drivermodule, windows.svcdiff Let’s Talk About it

  • 2 days ago
  • 3 min read
ree


Modern Windows rootkits assume that analysts will:

  • enumerate drivers using linked lists

  • trust Windows APIs

  • rely on “normal” system views


Volatility 3’s windows.drivermodule plugin was built specifically to break that assumption.



What windows.drivermodule Actually Does

This plugin performs cross-view analysis for drivers, similar in spirit to:

  • psxview → processes

  • svcdiff → services


But focused entirely on kernel drivers.


Step 1: Memory Scanning

  • Scans memory for structures associated with:

    • DRIVER_OBJECT

    • related kernel metadata

  • This is a ground truth scan, independent of Windows-maintained lists


Step 2: Linked-List Enumeration

  • Enumerates drivers via:

    • the kernel linked list used by Windows APIs

  • This is what the OS claims is loaded


Step 3: Cross-Comparison

  • Compares:

    • scanned driver objects

    • API-visible drivers

  • Any mismatch is flagged


If memory says a driver exists but Windows denies it → rootkit territory


Metadata Anomaly Detection

Rootkits don’t just unlink drivers — they tamper with metadata to frustrate analysis.

The plugin checks for anomalies such as:

  • Base address = 0x0

  • Image size = 0 bytes

  • Missing or inconsistent path information


Why Rootkits Do This

  • Makes dumping harder

  • Breaks naïve tools

  • Confuses analysts looking for valid PE structures

Ironically, these manipulations make the driver more suspicious, not less.



Known Exceptions vs Real Red Flags

Some legitimate Windows components:

  • behave oddly

  • violate “normal” expectations

  • would otherwise cause false positives


The plugin accounts for this by:

  • maintaining a list of known exceptions

  • marking them explicitly


ree

How to Interpret the Output

  • Known Exception = True

    • Likely benign

    • Still reviewable, but lower priority


  • Known Exception = False

    • Not explained by normal OS behavior

    • High-confidence rootkit indicator

    • Must be investigated

This dramatically reduces analyst noise.



Why This Plugin Is So Effective

Andrew Case (Volatility core developer) demonstrated that:

  • windows.drivermodule detected every modern Windows rootkit sample they tested

  • even samples that:

    • successfully hid from driver lists

    • avoided traditional modscan detection

    • manipulated metadata to evade dumping

This makes it one of the strongest rootkit detection plugins in Volatility 3.

-----------------------------------------------------------------------------------------------------

Hidden Services: The Other Half of the Story

Kernel drivers rarely load themselves magically.

They are commonly loaded via:

  • Windows Services

  • set to:

    • auto-start

    • boot-start

    • system-start


Rootkits often hide both:

  • the driver

  • the service that loads it


windows.svcdiff — Detecting Hidden Services

The windows.svcdiff plugin performs cross-view analysis for services, similar to psxview and drivermodule.


How It Works

It compares:

  • services listed by:

    • services.exe (what Windows reports)

  • services discovered via:

    • memory scanning


What It Finds

  • services that:

    • exist in memory

    • are not visible to the OS

    • are likely unlinked or hidden


These hidden services are frequently:

  • used to load malicious drivers

  • responsible for persistence

  • part of kernel rootkit infrastructure


-------------------------------------------------------------------------------------

Putting It All Together: Rootkit Detection Workflow

A practical Volatility 3 rootkit triage looks like this:

  1. windows.psxview

    • Look for hidden processes

  2. windows.drivermodule

    • Identify hidden or metadata-manipulated drivers

  3. windows.svcdiff

    • Find hidden services used for persistence

  4. windows.ssdt

    • Check for hooks pointing into suspicious drivers

  5. windows.modules / windows.modscan

    • Correlate linked vs scanned driver data

  6. Dump and analyze

    • Extract drivers and services for deeper analysis

Each plugin reinforces the others.

------------------------------------------------------------------------------------


Why Cross-View Analysis Is So Powerful

Rootkits can:

  • hide from one view

  • manipulate one data structure


But hiding consistently from:

  • linked lists

  • memory scans

  • metadata checks

  • service tables

…is extremely difficult.


Volatility’s philosophy is:

“Trust nothing. Compare everything.”

------------------------------------------------------------------------------------------

Key Takeaways

  • windows.drivermodule is purpose-built for modern Windows rootkits

  • It detects:

    • hidden drivers

    • unlinked drivers

    • metadata manipulation

  • Known exceptions are filtered for you

  • Unknown discrepancies are high-value findings

  • Rootkits often rely on hidden services, detectable via windows.svcdiff

  • Cross-view analysis remains one of the most reliable rootkit detection techniques


------------------------------------Dean---------------------------------------------------



 
 
 

Comments

bottom of page