I have a machine that has a very strange driver loaded. What makes it strange is this:
-randomly named and the name changes on reboot
-isn't actually on the file system (even if its mounted as a data partition from Linux)
-registry entries referring to it are regenerated if removed
-doesn't show up in verifiers list of drivers
-its hooking a piece of hardware that isn't on the system
To me this looks like it could be malware/rootkit but Symantec (from windows) and clamav (from Linux) both report that the system is clean. So either its not harmful or a its a currently undetected piece of malware. Figuring out which is somewhat challenging.
What I am looking for is a tool that will let me dump an image of the driver to disk and examine it and also find out how its loading in the first place (probably by monitoring the SSDT). While it is within my abilities to write such a tool, I would rather use something off the shelf if such a tool already exists. Ideally this would be an open source tool, but in any case it can't rely on a closed source unsigned driver. Can you guys recommend a tool or should I write it myself?
Edit: also this is XP with SP 3 installed.