-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathLOLDriverScanner_ALL.ps1
107 lines (90 loc) · 5.2 KB
/
LOLDriverScanner_ALL.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Specify the path to the loldrivers.json file or simply put it in the powershell script root
# and run the script
# Download from https://www.loldrivers.io/api/drivers.json
$loldriversFilePath = "$PSScriptRoot\drivers.json"
# Check if the loldrivers.json file exists
if (-not (Test-Path -Path $loldriversFilePath)) {
Write-Host "drivers.json file not found, please download from https://www.loldrivers.io/api/drivers.json and specify path in script or put it in scripts root folder" -ForegroundColor Red
Exit
}
# Get all driver files in C:\
Write-Host "Scanning after sys-files" -ForegroundColor Green
$drivers = Get-ChildItem -Path "C:\" -Force -Recurse -File -Filter "*.sys" -ErrorAction SilentlyContinue
# Check whole C: drive to catch other applications or hardwares drivers who might
# have their own installation folders, where they store their respective .sys files.
# Read the contents of the loldrivers.json file
$loldrivers = Get-Content -Path $loldriversFilePath | ConvertFrom-Json
Write-Host "Hashing the $($drivers.Count) drivers found in C:\ and checking against loldrivers.io JSON file" -ForegroundColor Yellow
#Declare a variable to keep track of the vulnerable drivers count
$vulnerableCount = 0
$hashes = @()
foreach ($driver in $drivers) {
try {
# Calculate the SHA256, SHA1, and MD5 hashes of the driver file
$sha256Hash = Get-FileHash -Algorithm SHA256 -Path $driver.FullName -ErrorAction Stop | Select-Object -ExpandProperty Hash
$sha1Hash = Get-FileHash -Algorithm SHA1 -Path $driver.FullName -ErrorAction Stop | Select-Object -ExpandProperty Hash
$md5Hash = Get-FileHash -Algorithm MD5 -Path $driver.FullName -ErrorAction Stop | Select-Object -ExpandProperty Hash
$status = "OK"
$vulnerableSample = $loldrivers.KnownVulnerableSamples | Where-Object { $_.SHA256 -eq $sha256Hash -or $_.SHA1 -eq $sha1Hash -or $_.MD5 -eq $md5Hash }
if ($vulnerableSample) {
$status = "Vulnerable"
$vulnerableCount++
}
# Calculate the Authenticode SHA256 hash of the driver file
$authenticodeHash = (Get-AppLockerFileInformation -Path $driver.FullName).Hash
$authenticodeHash = $authenticodeHash -replace 'SHA256 0X', ''
# Check the Authenticode SHA256 hash against the drivers.json file
$authenticodeMatch = $loldrivers.KnownVulnerableSamples.Authentihash| Where-Object { $_.SHA256 -eq $authenticodeHash}
if ($authenticodeMatch) {
$status = "Vulnerable"
if ($vulnerableSample -eq $null) {
$vulnerableCount++
}
}
$hashes += [PSCustomObject]@{
Driver = $driver.Name
Status = $status
Path = $driver.FullName
SHA256Hash = $sha256Hash
AuthenticodeHash = $authenticodeHash
SHA1Hash = $sha1Hash
MD5Hash = $md5Hash
}
} catch {
$hashes += [PSCustomObject]@{
Driver = $driver.Name
Status = "Error"
Path = $driver.FullName
SHA256Hash = "Hash Calculation Failed: $($_.Exception.Message)" # Mainly the hiberfil.sys, pagefile.sys, swapfile.sys
AuthenticodeHash = "Hash Calculation Failed: $($_.Exception.Message)" # Mainly the hiberfil.sys, pagefile.sys, swapfile.sys
SHA1Hash = "Hash Calculation Failed: $($_.Exception.Message)" # Mainly the hiberfil.sys, pagefile.sys, swapfile.sys
MD5Hash = "Hash Calculation Failed: $($_.Exception.Message)" # Mainly the hiberfil.sys, pagefile.sys, swapfile.sys
}
}
}
# Display results in the console with color highlighting - some Hash Algorithms are excluded but shown in GridView
Write-Output ""
foreach ($hashEntry in $hashes) {
$driver = $hashEntry.Driver
$hash = $hashEntry.SHA1Hash
$authenticodeHash = $hashEntry.AuthenticodeHash
$status = $hashEntry.Status
if ($status -eq "Vulnerable") {
Write-Host "Driver: $driver"
Write-Host "SHA1: $hash AuthenticodeHash: $authenticodeHash Status: $status" -ForegroundColor Red
} elseif ($status -eq "Error") {
Write-Host "Driver: $driver"
Write-Host "SHA1: $hash AuthenticodeHash: $authenticodeHash Status: $status" -ForegroundColor Yellow
} else {
Write-Host "Driver: $driver"
Write-Host "SHA1: $hash AuthenticodeHash: $authenticodeHash Status: $status" -ForegroundColor Green
}
Write-Output ""
}
# Sort the array based on the "Status" column to display vulnerable drivers at the top in Out-GridView
Write-Output ""
$hashesSorted = $hashes | Sort-Object -Property @{Expression = { if ($_.Status -eq "Vulnerable") { 0 } elseif ($_.Status -eq "Error") { 1 } else { 2 } } }
# Display the sorted results in Out-GridView
$hashesSorted | Out-GridView -Title "Results from LOLDrivers scan, $vulnerableCount vulnerable drivers of $($drivers.Count), check Status column for value: Vulnerable, Copy row with CTRL-C"
Write-Host "Scanning after LOLDrivers completed" -ForegroundColor Green
Write-Host "Found $vulnerableCount Vulnerable Drivers" -ForegroundColor $(if ($vulnerableCount -gt 0) { "Red" } else { "Green" })