Skip to content

Latest commit

 

History

History
72 lines (41 loc) · 2.55 KB

readme.md

File metadata and controls

72 lines (41 loc) · 2.55 KB

Process killer drivers finder

This script is related to a blogpost explaining how to find, reverse and exploit process killer drivers : https://alice.climent-pommeret.red/posts/process-killer-driver/

The purpose of this project is to retrieve potential process killer drivers.

It uses the imported functions attribute of the drivers.json file available on the LOLDrivers project.

To do so, the code will select all drivers importing the Nt/ZwOpenProcess AND Nt/ZwTerminateProcess.

Which means only drivers importing one of the *OpenProcess AND one of the *TerminatedProcess functions will be retrieved.

All the drivers retrieved by the script are POTENTIAL process killer drivers. It means that some of them aren't.

Of course, function can be imported dynamically, processes can be terminated other ways and handle retrieved without using Nt/ZwOpenProcess.

This script is not bullet proof. It's just a quick and dirty way to find easy targets, so it's 100% sure that it will miss some real process drivers killer drivers available on LOLDrivers.

However, in the list of drivers retrieved by the script today, some of them are indeed process killer drivers. So have fun !

Prerequisites

  • Python 3.x
  • Required packages: argparse, json, logging, os, datetime, requests

Usage

python finder.py [--api-url API_URL]

Main functions

check_data_changed(api_url)

Check if the API data has changed since the last retrieval. If the data file is not present or the content has changed, download the file.

  • api_url: URL of the API to retrieve data from.

process_data(drivers_data)

Process the drivers' data based on the provided functions list.

  • drivers_data: List of drivers' data obtained from the API.
  • desired_keys: List of keys used for search. If not provided or empty, default 'filename' and 'md5' will be used.

main(api_url)

Main function to retrieve and process data from the LOLDrivers API.

  • api_url: URL of the API to retrieve data from.

Example usage:

Basic usage:

python finder.py

Setting a specific URL where to download the driver.json file:

python finder.py  --api-url https://www.loldrivers.io/api/drivers.json

Retrieves data from the LOLDrivers API, saves it to the "drivers.json" file, and saves the API headers to the "headers.json" file.


Thanks to @OMGhozlan for his contribution on the code refactoring !