-
-
Save FZKiritsugu/8d1446a09220ac43123e73481b2de76a to your computer and use it in GitHub Desktop.
search local system for known lolDrivers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 5.1 | |
| Set-StrictMode -Version 'latest' | |
| $ErrorActionPreference = 'stop' | |
| if ( !(Test-Path -Path 'Variable:lolDriversJson' -PathType Leaf) ) { | |
| [datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan | |
| 'downloading lolJdriver JSON' | Write-Host -ForegroundColor Cyan | |
| $lolDriversJson = Invoke-RestMethod -Method Get -Uri 'https://www.loldrivers.io/api/drivers.json' | |
| } | |
| # contains duplicates | |
| # $lolDriversJson.KnownVulnerableSamples | Group-Object -Property 'SHA256' | Where-Object -Property 'Count' -NE 1 | |
| # $lolDriversJson.KnownVulnerableSamples | Group-Object -Property 'SHA1' | Where-Object -Property 'Count' -NE 1 | |
| # $lolDriversJson.KnownVulnerableSamples | Group-Object -Property 'MD5' | Where-Object -Property 'Count' -NE 1 | |
| <# missing hashes | |
| $lolDriversJson.KnownVulnerableSamples | Where-Object -FilterScript { | |
| !($PSItem | Get-Member).Name.Contains('SHA256') -or | |
| !($PSItem | Get-Member).Name.Contains('SHA1') -or | |
| !($PSItem | Get-Member).Name.Contains('MD5') | |
| } | |
| #> | |
| $execTimeStart = [datetime]::Now | |
| [datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan | |
| 'building hashtable of driver files and their hashes' | Write-Host -ForegroundColor Cyan | |
| $htDriverHashPath = [hashtable]::new([System.StringComparer]::OrdinalIgnoreCase) | |
| foreach ( $driverFile in (Get-ChildItem -File -LiteralPath 'C:\windows\system32\drivers') ) { | |
| foreach ( $hashType in ('SHA256', 'SHA1', 'MD5') ) { | |
| foreach ( $driverFileHash in ($driverFile | Get-FileHash -Algorithm $hashType) ) { | |
| $htDriverHashPath.Add( | |
| $driverFileHash.Hash, @{ | |
| 'HashType' = $hashType | |
| 'path' = $driverFileHash.Path | |
| } | |
| ) | |
| } | |
| } | |
| } | |
| #<# test to produce a match | |
| [datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan | |
| 'adding a test case to the installed driver list' | Write-Host -ForegroundColor Cyan | |
| $testDummyDriverFile = ($lolDriversJson | Get-Random -Count 1).KnownVulnerableSamples | Get-Random -Count 1 | |
| if ( ($testDummyDriverFile | Get-Member).Name.Contains('SHA256') ) { | |
| $propNameHashType = 'SHA256' | |
| } elseif (($testDummyDriverFile | Get-Member).Name.Contains('SHA1')) { | |
| $propNameHashType = 'SHA1' | |
| } elseif ( ($testDummyDriverFile | Get-Member).Name.Contains('MD5') ) { | |
| $propNameHashType = 'MD5' | |
| } else { | |
| Write-Error -Message ("fix me" + [System.Environment]::NewLine + $testDummyDriverFile | Out-String) | |
| } | |
| $htDriverHashPath.Add( | |
| $testDummyDriverFile.$propNameHashType, @{ | |
| 'HashType' = $propNameHashType | |
| 'path' = '#test#' | |
| } | |
| ) | |
| #> | |
| [datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan | |
| 'looking for lolDriver hash matches' | Write-Host -ForegroundColor Cyan | |
| $htSearchResults = [hashtable]::new([System.StringComparer]::OrdinalIgnoreCase) | |
| foreach ( $lolDriver in $lolDriversJson ) { | |
| foreach ( $KnownVulnerableSample in $lolDriver.KnownVulnerableSamples ) { | |
| if ( ($KnownVulnerableSample | Get-Member).Name.Contains('SHA256') ) { | |
| $propNameHashType = 'SHA256' | |
| } elseif (($KnownVulnerableSample | Get-Member).Name.Contains('SHA1')) { | |
| $propNameHashType = 'SHA1' | |
| } elseif ( ($KnownVulnerableSample | Get-Member).Name.Contains('MD5') ) { | |
| $propNameHashType = 'MD5' | |
| } else { | |
| Write-Error -Message ("fix me" + [System.Environment]::NewLine + $KnownVulnerableSample | Out-String) | |
| } | |
| if ( $htDriverHashPath.ContainsKey($KnownVulnerableSample.$propNameHashType) ) { | |
| # duplicates in the lolDriver JSON, eg | |
| # FileName: atillk64.sys | |
| # SHA256: ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173 | |
| if (!$htSearchResults.ContainsKey($KnownVulnerableSample.$propNameHashType)) { | |
| $htSearchResults.Add( | |
| $KnownVulnerableSample.$propNameHashType, @{ | |
| 'driverPath' = $htDriverHashPath.($KnownVulnerableSample.$propNameHashType) | |
| 'lolDriver' = $lolDriver | |
| } | |
| ) | |
| } | |
| } | |
| } | |
| } | |
| Write-Host | |
| Write-Host | |
| 'time to run, excluding download of lolDriver JSON' | Write-Host | |
| (New-TimeSpan -Start $execTimeStart -End ([datetime]::Now)).TotalSeconds | Write-Host | |
| Write-Host | |
| Write-Host | |
| [datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan | |
| if ( $htSearchResults.Count -eq 0 ) { | |
| 'no lolDrivers found' | Write-Host -ForegroundColor Green | |
| } else { | |
| 'lolDrivers found!' | Write-Host -ForegroundColor Red | |
| $htSearchResults | ConvertTo-Json | Write-Host | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment