Hide Malware Driver from Device Manager

TL;DR

Yes, malware drivers can hide themselves from Device Manager using various techniques. This guide explains how they do it and what you can do to detect them.

How Malware Hides Drivers

Malware authors try to conceal their drivers to avoid detection by users and security software. Here’s how they achieve this:

1. Rootkit Techniques

Rootkits are the most common method. They intercept system calls related to device enumeration, filtering out the malicious driver from the list presented to Device Manager.

• Kernel-Mode Rootkits: These operate at the core of the operating system and have a high level of control. They directly modify kernel data structures to hide drivers.
• User-Mode Rootkits: Less powerful, but can still be effective by hooking APIs used by Device Manager.

2. Driver Object Manipulation

Malware can manipulate the driver object in memory to make it invisible.

• Unlinking from Driver List: Removing the driver entry from the system’s internal list of loaded drivers.
• Modifying Driver Attributes: Changing flags that control visibility within Device Manager.

3. Using Hidden or Generic Driver Names

Malware often uses names that blend in with legitimate drivers, making it harder to identify.

• Generic Names: “Standard PC Controller”, “USB Host Controller” etc.
• Misleading Descriptions: Using descriptions similar to known hardware components.

4. Disabling Device Manager Features

Some malware attempts to disable or bypass features within Device Manager that would reveal its presence.

Detecting Hidden Drivers

Detecting hidden drivers is challenging, but here are some methods:

1. Use a Reputable Anti-Malware Scanner

A good anti-malware program with rootkit detection capabilities is your first line of defense.

• Full System Scan: Run a complete scan, including boot sector and memory checks.
• Regular Updates: Keep your scanner’s definitions up to date.

2. Check for Unsigned Drivers

Legitimate drivers are usually digitally signed.

• Device Manager: Right-click on a device, select ‘Properties’, go to the ‘Driver’ tab and check ‘Driver Signature’.
• PowerShell: Use the following command:

  Get-WmiObject Win32_PnPSignedDriver | Where {$_.SignerStatus -ne 0}

  A status other than 0 indicates an unsigned driver.

3. Examine System Files

Look for unusual files in the system directories.

• DriverStore: Check C:WindowsSystem32drivers for suspicious .sys files.
• Registry Keys: Investigate registry keys related to drivers, such as those under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

4. Use Specialized Tools

Tools designed for rootkit detection can help uncover hidden drivers.

• Rootkit Revealer: A free tool from Sysinternals that scans the system for signs of rootkits.
• GMER: Another powerful rootkit detector with advanced scanning features.

5. Boot into Safe Mode

Some malware drivers may not load in Safe Mode, allowing you to see them more easily in Device Manager.

6. Process Explorer (Sysinternals)

Process Explorer can show which processes are loading specific drivers. This helps identify the malicious process associated with a hidden driver.