morph3us.org

Lately I had an idea to simply detect loaded kernel drivers which hide their presence after their execution. I'm sure this method is already known/used but because I never read of it I decided to write it down.

You have to reboot your box and start the system with enabled boot logging - hit F8 before Windoze boot screen and select the entry "Enable Boot Logging". Another possibilty to boot with enabled logging is to hand the /BOOTLOG option to the Windoze kernel as a parameter by editing the `boot.ini' file.

holy father (hf) the author of the famous Hacker Defender (hxdef) rootkit for Windoze NT systems offers a new driver coding tutorial on his site (http://hxdef.org/knowhow.php) . He plans to release a new part of the tutorial once a week for a while (circa 12 weeks IIRC). This tutorial is really worth reading for all people who are interested in this topic because this kind of information is rarely found in such great manner and this guy definitely knows about what he talks.