Driver Analyzer

A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in drivers (CVE makers!)

The generic scan is not robust. It just suggests the potential drivers, but you can write more complex scans for specific APIs. (There is one example in the code tree for MmMapIoSpace API)

For example, in the following picture, you can see a call to the MmMapIoSpace API and its first parameter that is controllable through rcx register (first argument in the fastcall calling convention), so this one has the potential to be a vulnerable call in the driver, you need to do more investigations manually by reversing the driver.

In the end, if you can find a direct path from the IOCTL handler to this function call, congregates you have just found another stupid driver to be exploited.

Note that this project was part of a larger project, and I just separated it as a standalone tool, so there are some inconsistencies in the code style like namings!

How to build

You need to have installed these dependencies.

vcpkg.exe install cereal:x64- indows cereal:x86-windows
vcpkg.exe install zydis:x64-windows zydis:x86-windows
vcpkg.exe install cxxopts:x64-windows cxxopts:x86-windows
vcpkg.exe install lief[pe]:x64-windows lief[pe]:x86-windows

Usage

Usage:
  Vulnerable Driver Scanner [OPTION...]

  -i, --input arg   Path of directory that contains Driver files (*.sys)
  -o, --output arg  Full name of JSON report
  -b, --backup arg  Path of backup directory to have a copy of suspicious
                    driver files