A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in drivers (CVE makers!)
The generic scan is not robust. It just suggests the potential drivers, but you can write more complex scans for specific APIs. (There is one example in the code tree for MmMapIoSpace API)
For example, in the following picture, you can see a call to the
MmMapIoSpace API and its first parameter that is controllable through
rcx register (first argument in the
fastcall calling convention), so this one has the potential to be a vulnerable call in the driver, you need to do more investigations manually by reversing the driver.
In the end, if you can find a direct path from the
IOCTL handler to this function call, congregates you have just found another stupid driver to be exploited.
Note that this project was part of a larger project, and I just separated it as a standalone tool, so there are some inconsistencies in the code style like namings!
How to build
You need to have installed these dependencies.
vcpkg.exe install cereal:x64- indows cereal:x86-windows vcpkg.exe install zydis:x64-windows zydis:x86-windows vcpkg.exe install cxxopts:x64-windows cxxopts:x86-windows vcpkg.exe install lief[pe]:x64-windows lief[pe]:x86-windows
Usage: Vulnerable Driver Scanner [OPTION...] -i, --input arg Path of directory that contains Driver files (*.sys) -o, --output arg Full name of JSON report -b, --backup arg Path of backup directory to have a copy of suspicious driver files