This presentation will cover a new prototype developed in Symantec Resarch Labs to run kernel-mode drivers from user-mode. This technology is primarily intended to sandbox a rootkit driver and monitors its activities. Utilizing this technique, the rootkit driver's activities can be controlled. Rather than utilizing emulation, the rootkit code is run directly on the native hardware but at ring 3. When the rootkit tries to utilize privileged instructions or read/write/execute kernel-mode memory, the faults are captured and proxied into the kernel, allowing the rootkit to function normally while at the same time preventing the rootkit from escaping the sandbox. The presentation will discuss the technology behind the prototype and demo the tool in action.