[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1892":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":14,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":27,"discoverSource":28},1892,"DrvEye","0xDbgMan\u002FDrvEye","0xDbgMan","Static analysis & exploitation-triage toolkit for Windows kernel drivers. Discover IOCTLs, Symbolic Links, and check cert , and Downlaods BYOVD ","",null,"Python",183,23,1,0,2,28,3,4.14,"MIT License",false,"main",[],"2026-06-12 02:00:34","\u003Cp align=\"center\">\n  \u003Cimg src=\"logo.png\" alt=\"DrvEye Logo\" width=\"500\">\n\u003C\u002Fp>\n\n# drivertool\n\n**A static-analysis & exploitation-triage toolkit for Windows kernel drivers.**\n\nAnswers two questions about any `.sys` file:\n1. **Will this driver actually load on Windows?** full Authenticode + WDAC + HVCI policy modelling.\n2. **What can it do, and how would I exploit it?** IOCTL discovery, taint analysis, exploit-primitive classification, PoC generation.\n\nBuilt for BYOVD hunters, driver triagers, kernel reverse engineers, and security researchers who want a deep static report on a driver in seconds.\n\n---\n\n## What it tells you\n\nFor every driver you point it at:\n\n### Load verdict\n\nA per-Windows-configuration matrix not a single yes\u002Fno:\n\n```\n─── LOAD VERDICT ───\n  Default Win10\u002F11         : WILL LOAD\n  Secure Boot + DSE        : WILL LOAD\n  HVCI \u002F Memory Integrity  : WILL NOT LOAD\n      • FORCE_INTEGRITY flag not set (HVCI requires it)\n      • W+X section present (HVCI forbids RWX)\n  Test-signing mode        : WILL LOAD\n  S Mode                   : WILL NOT LOAD\n      • No WHQL attestation EKU\n```\n\nDriven by full **Authenticode** verification:\n- PKCS#7 signature crypto verify (RSA-PKCS1v15 \u002F ECDSA)\n- Authenticode PE-hash recomputation (catches post-signing tampering)\n- Nested signature parsing (SHA-1 + SHA-256 dual-sign)\n- Counter-signature & RFC 3161 timestamp binding check\n- Live Microsoft trust lists (`authroot.stl`, `disallowedcert.stl`, WDAC vulnerable-driver block list)\n- Chain-anchor classification against kernel-trusted roots\n- Grandfathering: SHA-1 cutoff (2015-07-29), cross-sign cutoff (2021-07-01), legacy-TSA acceptance, expired-with-timestamp\n- EKU propagation, kernel-signing EKUs (WHQL attestation, MS System Component, WSVT)\n- Catalog-signing inference for OS-shipped drivers\n- HVCI prerequisite checks (page hashes, EV cert, WHQL EKU)\n\n### IOCTL surface\n\n```\n[*] Detected IOCTL codes (32):\n    0x7299C008  @0x140004320  (BUFFERED, FILE_READ_WRITE)  → callback removal\n                [!!CB REMOVE] [!!DSE RESOLVE] [!!PPL BYPASS] [!!TOKEN STEAL]\n                bugs=arbitrary-rw,callback-tamper,toctou-attach,token-theft\n                [UNGATED-sink] [shares process-kill-site with 0x7299C00C]\n```\n\nPer IOCTL: handler VA, decoded method\u002Faccess, purpose, exploit primitives, bug classes, gate state, shared-site convergence, hash-dispatch reversal, FSCTL slot tagging.\n\nDiscovery via **three independent paths**: dispatch-table walk, WDF emulator, brute-force scan. Plus hash-based dispatch reversal (FNV\u002Fdjb2\u002FCRC32\u002Fsdbm) for anti-RE drivers.\n\n### Exploit primitives + bug classes\n\nFor each handler:\n- **Primitives**: `process-kill`, `token-steal`, `ppl-bypass`, `dse-disable`, `arb-write`, `arb-read`, `physical-rw`, `msr-rw`, `callback-removal`, `etw-disable`, `process-attach`, `thread-inject`, `process-control`\n- **Bug classes**: `arbitrary-rw`, `missing-probe`, `int-overflow-alloc`, `double-fetch`, `toctou-attach`, `dse-bypass`, `callback-tamper`, `token-theft`, `process-kill`, `length-bounded`, `length-unbounded`\n\nClassifications gated by a real analysis stack:\n- **Per-handler taint** (forward, memory, interprocedural via cached function summaries)\n- **Backward slicing** at every dangerous call site → arg provenance (`imm` \u002F `mem_input_buffer+offset` \u002F `api_return` \u002F etc)\n- **Constant propagation** + bounds-check inference\n- **Basic-block CFG** + path-sensitive gate detection (`every path passes through SeAccessCheck?`)\n- **Shared call-site dedup** + thin-wrapper detection (one primitive, multiple entry points)\n- **EPROCESS semantic field map** Token \u002F Protection \u002F SignatureLevel \u002F ImageFilePointer write classification across Win8.1..Win11\n- **Tightened double-fetch detector** (4-gate: same offset + check-between + no capture API + flow-to-sink)\n\n### Device-name recovery\n\nNames recovered via 13+ independent strategies *plus* a Unicorn-emulated `DriverEntry` sandbox for runtime-built names:\n- IAT disasm trace · XOR-decoded UNICODE_STRINGs · XMM stack-spill emulator · stack-packed immediates · `.data` initializers · `RtlStringCbPrintfW` format templates · registry-service paths · `wcscat` composition · GUID structures · `POBJECT_ATTRIBUTES.ObjectName` · dynamic prefix templates · symlink-pair inference · Unicorn DriverEntry emulation\n\nPlus minifilter port detection (`FltCreateCommunicationPort`).\n\n### Generated artifacts\n\n| Flag | What you get |\n|---|---|\n| `--save-pocs` | Compilable C `DeviceIoControl` PoCs per IOCTL |\n| `--compile` | Auto-compile PoCs to `.exe` (requires MinGW-w64) |\n| `--fuzzer` | Python + C IOCTL fuzzing harness |\n| `--tracer` | Runtime IOCTL behaviour tracer (probes each IOCTL on a live system) |\n| `--check-script` | PowerShell driver-status checker (load\u002Funload\u002Fevent-log inspect) |\n| `--ida FILE` | IDAPython annotation script (severity-prefixed handler names, struct definitions, primitive call-site comments, arg provenance) |\n| `--json FILE` | Full structured analysis output |\n\n---\n\n## Quick start\n\n```bash\n# Analyze a driver\npython3 DrvEye.py path\u002Fto\u002Fdriver.sys\n\n# Verbose + save PoCs\npython3 DrvEye.py driver.sys -v --save-pocs\n\n# Generate IDAPython annotation script for instant RE acceleration\npython3 DrvEye.py driver.sys --ida driver_annotations.py\n\n# Refresh Microsoft policy data + LOLDrivers intel before scanning\npython3 DrvEye.py --live-check --loldrivers driver.sys\n\n# Batch multiple drivers in one invocation\npython3 DrvEye.py *.sys\n\n# Full power: live data + IDA script + JSON + PoCs + fuzzer\npython3 DrvEye.py driver.sys --live-check --loldrivers \\\n    --json report.json --ida driver.idapy --save-pocs --fuzzer\n```\n\n---\n\n## Installation\n\n### Requirements\n\n- **Python 3.9+**\n- **pefile** PE parsing\n- **capstone** x86-64 disassembly\n- **cryptography** Authenticode RSA\u002FECDSA verification\n- **unicorn** *(optional)* full-CPU emulation for hardened device-name extraction\n- **yara-python** *(optional)* for `--save-pocs` \u002F `--check-script` enrichment\n\n```bash\npip install pefile capstone cryptography unicorn yara-python\n```\n\n### Quick install\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002F0xDbgMan\u002FDrvEye.git\ncd drivertool\npip install -r requirements.txt    # if a requirements.txt is provided\npython3 DrvEye.py --help\n```\n\n> **Note**: Unicorn is optional. Without it the static device-name recovery still produces results you just lose the emulator fallback for hardened drivers.\n\n---\n\n## CLI reference\n\n```text\nusage: DrvEye.py [-h] [--source SOURCE [SOURCE ...]] [--output-dir DIR]\n                      [--save-pocs] [--verbose] [--no-color] [--compile]\n                      [--device NAME] [--json FILE] [--output FILE]\n                      [--fuzzer] [--check-script] [--tracer] [--ida FILE]\n                      [--live-check] [--loldrivers] [--no-live-policy]\n                      [drivers ...]\n```\n\n| Flag | Description |\n|---|---|\n| `drivers` | One or more `.sys` paths to analyze. |\n| `--source FILES` | Optional C\u002FC++ source files to scan alongside the binary. |\n| `--output-dir DIR` | Directory for generated artifacts (default: `pocs_output`). |\n| `--save-pocs` | Write generated PoC scripts to disk. |\n| `--verbose, -v` | Show all findings + entry-point disassembly + extra detail. |\n| `--no-color` | Disable ANSI color (useful when piping). |\n| `--compile` | Auto-compile generated PoC `.c` files via MinGW-w64. |\n| `--device NAME` | Override device name for PoCs (`MyDriver` → opens `\\\\.\\MyDriver`). |\n| `--json FILE` | Write full analysis results as structured JSON. |\n| `--output FILE, -o` | Redirect human-readable report to file (auto-disables color). |\n| `--fuzzer` | Generate Python + C IOCTL fuzzing harnesses. |\n| `--check-script` | Generate a PowerShell script to load\u002Funload\u002Fcheck the driver on Windows. |\n| `--tracer` | Generate a runtime IOCTL tracer (probes each IOCTL on a live target). |\n| `--ida FILE` | Emit an IDAPython script that annotates the driver in IDA Pro. |\n| `--live-check` | Sync MS kernel-trust + cert-revocation + WDAC vulnerable-driver lists from Windows Update (`authroot.stl`, `disallowedcert.stl`, `SiPolicy_Enforced.p7b`). |\n| `--loldrivers` | Extend the local known-vulnerable-driver database with feeds from LOLDrivers, Microsoft, MalwareBazaar, Hybrid Analysis, and HEVD. |\n| `--no-live-policy` | Ignore the cached live policy data (use built-in `KERNEL_TRUSTED_ROOTS` snapshot only). |\n\n---\n\n## Live policy data\n\nBy default, the tool falls back to ~20 hardcoded Microsoft root-CA thumbprints. With `--live-check` it pulls the actual current data Windows uses:\n\n- **`authroot.stl`** ~988 trusted root CA thumbprints\n- **`disallowedcert.stl`** explicitly distrusted cert thumbprints\n- **`SiPolicy_Enforced.p7b`** Microsoft's WDAC vulnerable-driver block list (~889 SHA-1 + ~870 SHA-256 hashes)\n\n`--loldrivers` adds external community\u002Fresearch feeds (LOLDrivers, MalwareBazaar, Hybrid Analysis, HEVD) into a unified local index.\n\nCaches live under `~\u002F.cache\u002Fdrivertool\u002F` and persist between runs. Run weekly to stay current.\n\n```bash\n# One-time refresh ~3-5 seconds, downloads ~350 KB total\npython3 DrvEye.py --live-check --loldrivers driver.sys\n```\n\nAfter the refresh, every subsequent run uses the cached data automatically no need to re-pass the flags.\n\n---\n\n## Output sections\n\n1. **PE summary** SHA-256, imphash, architecture, mitigations, version info\n2. **Authenticode signature** status, primary + nested digest, timestamp, anchor, HVCI prereqs, full chain\n3. **Load verdict** per-config matrix + blockers + passes + confidence\n4. **Imports** dangerous functions called by the driver\n5. **IOCTL codes** every recovered IOCTL with handler VA, purpose, primitives, bug classes, convergence chips\n6. **Exploit primitives** per-IOCTL primitive list with shared-site VAs\n7. **Device access security** IoCreateDeviceSecure status, SDDL, exclusivity, symlink reachability, issues\n8. **Device names & symbolic links** all recovered device paths\n9. **Minifilter ports** `FltCreateCommunicationPort` entries (when present)\n10. **Registry references** keys\u002Fvalues the driver reads\n11. **ROP gadgets, exploit chains, taint paths, Z3 solutions** extra detail with `-v`\n\nWith `--verbose`, you also get IRP-handler behavior breakdowns, per-IOCTL recovered input structs, entry-point disassembly, and bug-class taxonomy explanations.\n\n---\n\n## Disclaimer & responsible use\n\nThis tool is built for:\n\n- Legitimate security research, red-team \u002F blue-team operations\n- Driver development and pre-release auditing\n- BYOVD investigation in a defensive context\n- Reverse engineering education and CTF challenges\n\nIt is **not** a malware authoring kit. The PoC \u002F fuzzer \u002F tracer artifacts it generates are stub C\u002FPowerShell harnesses they require a vulnerable driver on the target system and are intended for analysts confirming reproducibility on systems they own or have explicit authorization to test.\n\nYou are responsible for ensuring you have authorization to analyze any driver, run any generated PoC, or load any binary onto any system. The authors disclaim liability for misuse.\n\nIf you find a vulnerability in a vendor driver, please follow responsible disclosure the project authors actively support that path.\n\n---\n\n## License\n\nMIT see [LICENSE](LICENSE).\n\n\n","DrvEye 是一个针对 Windows 内核驱动的静态分析与漏洞利用工具包，能够发现 IOCTL、符号链接，并检查证书以及下载 BYOVD。项目核心功能包括对 `.sys` 文件进行加载验证和功能分析，其中加载验证基于完整的 Authenticode 验证流程，支持多种安全配置下的加载判断；功能分析则通过多路径发现 IOCTL 接口并对其进行详细分类，指出潜在的利用原语和漏洞类别。该工具适用于自带漏洞驱动（BYOVD）猎人、驱动程序审查员、内核逆向工程师及希望快速获取驱动深入静态报告的安全研究人员，在需要评估驱动安全性或寻找潜在攻击面时尤为有用。","2026-06-11 02:46:39","CREATED_QUERY"]