Looking for input on Dynamic Driver listings in the DRT

U

usasma

Retired Admin
Joined
Feb 20, 2012
Posts
2,126
Recently there have been instances of a temporary driver showing up in some memory dumps. The temp driver is most likely from either a program using the WinRing libraries (most often it's seen with RealTemp) or it's a driver used with the LoL game.

It's labelled tmp????.tmp - with the ?'s being either lower case or upper case letters or numbers. Both of the tmp's are lower case.

My question here is how should we address this driver in the DRT?
I don't want to add all possible combinations of letters/numbers to the DRT, but would like to achieve consistency in the way that we list dynamic drivers.

For those that have been around for a while, they've seen the problems with the dynamic drivers used by Daemon Tools/Alcohol % software (both the a???????.SYS drivers and the sp??.sys drivers) along with the Microsoft Security Essentials drivers (MpKsl????????.sys)

I suggest that we use ?'s to take the place of the variable characters. And that the pattern be noted in the Information column

This brings up another question - should we then trim out all the other random drivers that have been listed?

This would leave us with 4 entries:
- tmp????.tmp
- a???????.SYS
- sp??.sys
- MpKsl????????.sys
 
I agree with not adding all dynamically allocated drivers. We sure had a time [fun...? :)] when adding Daemon Tools a*.SYS drivers for a while only to end up stopping after we realized what was happening.

I like the use of question marks as they signify 1 character each (in DOS, anyway; not sure if those of today use the same or even know about it).

But what about drivers like - Driver Reference Table - a2util32.sys -- an A² driver?

I guess my point is simply that a???????.SYS would cover that one but I'm not sure it really matters because the A² driver and other exceptions would be listed.

I think we should go ahead and implement the use of ???? to cover dynamic drivers and delete those we can ID as same in the current DRT.
 
Last edited:
I would also suggest using the ???? for the dynamic entries. It just signifies one character like jcgriff mentioned and furthermore it generates curiosity (at least in me) as to what these drivers are :p

But, my point would be that it would be causing extra trouble? Usasma do you just have to select and then delete the entries or is it something different? Though you must add the TMP Driver along with a proper description which means to list all the facts that we know about it. You would need to like Underline the fact that the WinRing service is only visible in the Event Log and not anywhere in the loaded modules list (Except for these temporary drivers) or the MSINFO32 Report as well.

We were just plain lucky that the Event Log contained the program which is being associated with this as in almost every other Event Log which was scanned, there was only this service and no information as to what is executing this one.

@jcgriff2 - If you look at the Emsisoft Drivers (All of them in the DRT), you would notice the thing that the last 2 digits before ".sys" are 32,86 / 64 which depict the Product Version which is installed. Like either it is 64bit or 32bit which is installed on the system. This is not valid in the case of Alcohol/Daemon Tools. But, your point is 120% valid as well. This might confuse us as well in some cases. But, a note in the description as in which conditions this is valid can be done in bold or some other colors to highlight such kind of tmp????.tmp driver.

@usasma - There is a driver over here - Driver Reference Table - mchInjDrv.sys which is considered likely to be a part of Emsisoft A Squared. But, I think it is part of other software as well. You can check the driver's name in the strings which are extracted from a different software over here -
Malware scan of Modviewer.exe e99c3c08c5ca999656edb465a58b41d8d0bc4073 - herdProtect
&
https://forums.comodo.com/virusmalw...e/mchinjdrvsys-t9257.0.html;msg67465#msg67465

As far as I can see in the DRT, there are loads of errors which are now coming up because of the fact that links change.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top