How do you identify a driver executable?

Question

How do you determine whether a given exe or dll or sys file is actually a driver? I mean what differentiates a driver from a normal executable?

score 4 · Accepted Answer · answered Apr 10 '12 at 12:01

4

The Image of a driver is always marked as IMAGE_SUBSYSTEM_NATIVE (IMAGE_OPTIONAL_HEADER.Subsystem - See the Microsoft Portable Executable specification) while the image of an application is typically marked as IMAGE_SUBSYSTEM_WINDOWS_GUI or IMAGE_SUBSYSTEM_WINDOWS_CUI.

answered Apr 10 '12 at 12:01

mox

6,084
2
23
35

Exactly what I was looking for. I wish I could up-vote this but I don't have enough reps... – CodeWarrior Apr 11 '12 at 16:45

score 0 · Answer 2 · answered Apr 09 '12 at 19:44

A normal executable runs in user-mode while a driver runs in kernel mode. A normal executable typically interacts with the desktop while a driver cannot interact with the desktop (has no user interface). A normal executable interacts with the Windows API while a driver cannot interact with the Windows API.

score 0 · Answer 3 · answered Apr 11 '12 at 13:09

0

@mox - this is correct however it means delving in with a debugger/hex editor/other PE header reading tool. Instead you could always look at the file's dependencies (with Dependency Walker) and if the file depends on NTOSKRNL.EXE then is most probably a driver.

answered Apr 11 '12 at 13:09

MrBry

392
4
14

Actually I wanted to write a tool that listed all the driver files present in a given folder. I guess I should have been more specific in my question. Thanks anyways. – CodeWarrior Apr 11 '12 at 16:49
@CodeWarrior: there is unfortunately no other means to detect property like the one you want to detect (driver) other than to use external "tool". The one I use and develop :-) is PeStudio (http://www.winitor.com). – mox Apr 12 '12 at 07:57
@CodeWarrior: hit Enter to early! Additionally, applications like autocheck.exe, etc are NO drivers but still are detected as "Native". This makes the job of classification not easy! – mox Apr 12 '12 at 08:02
The well-known Win32 main process (aka. csrss.exe) is another example of a special case! It is tagged as native, BUT has no dependency on NTOSKRNL.EXE ! – mox Apr 12 '12 at 08:13
You could always look at you problem in another way. If are you interested only in registered drivers then you could then look into the services areas of the registry to get the information you want. – MrBry Apr 13 '12 at 10:58

How do you identify a driver executable?

3 Answers3