How do you identify a driver executable?
https://stackoverflow.com/questions/9835007
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How do you determine whether a given exe or dll or sys file is actually a driver? I mean what differentiates a driver from a normal executable?
Solution
The Image of a driver is always marked as IMAGE_SUBSYSTEM_NATIVE (IMAGE_OPTIONAL_HEADER.Subsystem - See the Microsoft Portable Executable specification) while the image of an application is typically marked as IMAGE_SUBSYSTEM_WINDOWS_GUI or IMAGE_SUBSYSTEM_WINDOWS_CUI.
OTHER TIPS
A normal executable runs in user-mode while a driver runs in kernel mode. A normal executable typically interacts with the desktop while a driver cannot interact with the desktop (has no user interface). A normal executable interacts with the Windows API while a driver cannot interact with the Windows API.
@mox - this is correct however it means delving in with a debugger/hex editor/other PE header reading tool. Instead you could always look at the file's dependencies (with Dependency Walker) and if the file depends on NTOSKRNL.EXE then is most probably a driver.
