https://www.virustotal.com/gui/file/5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b/details

https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/

sha256
b6e82a4e6d8b715588bf4252f896e40b766ef981d941d0968f29a3a444f68fef
e23283e75ed2bdabf6c703236f5518b4ca37d32f78d3d65b073496c12c643cfe

https://www.virustotal.com/gui/file/0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc/details

https://github.com/ph4nt0mbyt3/Darkside

https://www.virustotal.com/gui/file/274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab/details

Fresh new RedDrivers found with VTE (seems pretty recent)

new_red.zip

There's been a malware going around that uses the BrDifxapi.exe to sideload unsigned dlls via the BrLogAPI.dll file.

Article: https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor

I'm not sure whether this fits in here though, cause the LOLDrivers page seems to list only the sys files directly, not vulnerable running binaries/exe files from the drivers.

https://github.com/zeze-zeze/CYBERSEC2023-BYOVD-Demo

https://www.virustotal.com/gui/file/23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931?nocache=1

https://tria.ge/230713-kam69afh42/behavioral1#report

Hi!

For a lot of the drivers listed, most of the commands for these drivers are:

sc.exe create ATSZIO64.sys binPath=C:\windows\temp\ATSZIO64.sys type=kernel && sc.exe start ATSZIO64.sys

This doesn't really explain why the driver is vulnerable and what is the issue with it.

For instance, one thing that would be super helpful for red teamers is a link to a what the actual issue with the driver is and how to get it to run attacker/untrusted code in Kernel (if that's the actual reason it's listed as vulnerable)

Hi,
I was introduced to this project yesterday and began some tests to see how they perform against Windows Defender Application Control policies and Microsoft Defender, here are my findings:

Part 1: Malicious files

One of the main problems is using the phrase Living Off The Land, which are supposed to be legitimate non-malicious files that can be misused to circumvent security solutions, but what I'm seeing is straight up malware that Microsoft Defender already detects and blocks.

So, to prevent redundancy, I suggest removing those files from the driver package and instead let default security solution take care of them.
For the rest of the files, there is automatic sample submission and the global MAPS and ISG networks that get notified about these files every time they are run.

Part 2: Non-Malicious files

These are another story. I couldn't find a clear reason for each file as to why it's labeled as LOLDriver.

The questions I'd have in mind (and most likely businesses/enterprises too) about each file is:

• What role does it play in circumventing security measures?
• Does it help bypass WDAC? (If so, it should be reported to Microsoft as well to be added to the official recommended block rules)
• Is there a PoC for it bypassing security measures?
• Does Smart App Control (that uses Intelligent Secure Graph) block them?
• Are some of these drivers also included in Microsoft recommended driver block rules? (to prevent duplication when merging with a WDAC policy)

Microsoft Defender results after running all of the driver files, these are the ones I was referring to that are redundant:

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 226944
ThreatName       : PUA:Win32/Kuping
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 227008
ThreatName       : PUA:Win32/GameBox
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 242420
ThreatName       : PUA:Win32/Presenoker
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 311991
ThreatName       : PUADlManager:Win32/InstallCore
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 34
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147635777
ThreatName       : VirTool:WinNT/Rootkitdrv.HK
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 34
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147668298
ThreatName       : VirTool:WinNT/Exforel.A
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147722997
ThreatName       : Trojan:Win32/Ditertag.A
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 34
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 4
ThreatID         : 2147723443
ThreatName       : HackTool:Win64/CapRoot.A
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147735505
ThreatName       : Trojan:Win32/Wacatac.B!ml
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147750647
ThreatName       : Trojan:Win32/RootkitDrv!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147753900
ThreatName       : Trojan:Win32/Rootkit!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 97
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147754624
ThreatName       : Trojan:Win32/Tnega!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147762521
ThreatName       : Trojan:Win64/Tnega!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 97
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147805432
ThreatName       : Trojan:Win64/RootkitDrv!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147805996
ThreatName       : Trojan:Win64/Rootkit!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 97
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147814523
ThreatName       : Trojan:Win32/Wacatac.H!ml
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147842086
ThreatName       : Trojan:Win64/BlackLotus!MSR
TypeID           : 0

The following drivers are blocked when Default Windows WDAC policy is deployed, A total of 431 drivers:

Download file: 👇👇

Blocked by Default Windows Policy.md

The script i used to automate the tests

Execution

$i = 0
(Get-ChildItem "C:\Users\Admin\Desktop\drivers").FullName | ForEach-Object {
New-Service -BinaryPathName $_ -Name "DriverTest$i" -Description $_ -StartupType Manual
Start-Service -Name "DriverTest$i" -ErrorAction SilentlyContinue
$i++
}

Increase Code Integrity Operational log size

$logName = 'Microsoft-Windows-CodeIntegrity/Operational'
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$log.MaximumSizeInBytes = '50000000'
$log.IsEnabled = $true
$log.SaveChanges()

Logs gathering

$ScriptBlock = {
# Event Viewer Code Integrity logs scan
foreach ($event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3077 } -ErrorAction SilentlyContinue ) {
    $xml = [xml]$event.toxml()
    $xml.event.eventdata.data | ForEach-Object { $hash = @{} } { $hash[$_.name] = $_.'#text' } { [pscustomobject]$hash } |
    Select-Object -Property 'SHA256 Hash' , 'File Name', 'OriginalFileName', 'ProductName', 'InternalName', 'FileDescription', 'FileVersion', 'SHA1 Hash', 'USN'
}        
}
$Results = Invoke-Command -ScriptBlock $ScriptBlock
$Results
$Results | clip
Write-Host "A total of $($results.count) drivers have been blocked"

Hi, thank you for this amazing project, i'm trying to build a docker image and i've encountered an error during execution of "hugo serve":

(loldrivers-py3.11) root@7f85c1b3f792:/LOLDrivers/loldrivers.io# hugo serve
Start building sites … 
hugo v0.111.3+extended linux/amd64 BuildDate=2023-03-16T08:41:31Z VendorInfo=debian:0.111.3-1
Error: Error building site: "/LOLDrivers/loldrivers.io/content/_index.md:31:1": failed to extract shortcode: template for shortcode "block" not found
Built in 109 ms`

Any idea? Thanks

https://www.loldrivers.io/drivers/57354c82-ff9c-4a54-8377-d195e4ff0a26/ has a full POC that can be linked to the page available here: https://github.com/kagurazakasanae/Mhyprot2DrvControl/tree/main

Kernel read/write,process memory and killing arbitrary processes from user-mode when sending the right IOCTLS : https://github.com/kagurazakasanae/Mhyprot2DrvControl/blob/main/Driver/MhyProt2.cs#L13 )

As a test, I'm trying: https://www.loldrivers.io/drivers/?query=amifldrv64.sys
which as you'll realize doesn't automatically apply the filter of amifldrv64.sys to the search results, which I suppose is a whole other issue altogether.

But the problem here is that if you click through on the file name (ID) or on the Category values, you'll get a 404'ing page:
https://www.loldrivers.io/drivers/drivers/6d4b0025-7910-483a-ba73-03970995edc3/
https://www.loldrivers.io/drivers/drivers/34fa6ba4-dc7c-4fd6-b947-8a0bb8ebd031/

https://www.virustotal.com/gui/file/42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25/details

https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries

https://www.virustotal.com/gui/file/8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330/community

https://www.virustotal.com/gui/file/1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e

When you click on a driver from the home page, the table that lists it's use cases spells the word privileges incorrectly

In case this is useful to generate ClamAV hashes:

sigtool > LOLDrivers.hdb --sha256 *.bin

Example will look like:

LOLDrivers.hdb
06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf:23744:0067c788e1cb174f008c325ebde56c22.bin

Format:
sha256_hash:filesize:signature_name

Hello,

While working on those LOL drivers, I noticed a few things:

• several documentation files state that the VersionInfo strings come from the PE header, that is incorrect, as they come from a string table in the resources section
• the yara-generator.py uses utf-16be instead of utf-16le to generate the hex encoded strings. This works because there usually is a zero byte before the string from the previous one, but should be fixed
• a few rules only contain a FileVersion or ProductVersion from that string table. These might be too broad and could result in FPs

I can submit a PR for the first two points if desired, for the third point I guess it's up to you, but at least a sentence about it would be helpful.

https://github.com/ZeroMemoryEx/Chaos-Rootkit

https://www.virustotal.com/gui/file/ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1

https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/

https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html

https://www.virustotal.com/gui/file/56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver/indicators-blackcat-ransomware-deploys-new-signed-kernel-driver.txt < for some reason doesn't contain all hashes

dkrtk.sys 91568d7a82cc7677f6b13f11bea5c40cf12d281b Trojan.Win64.VMPROTECT.R002C0RA
https://www.virustotal.com/gui/file/52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677

fgme.sys 0bec69c1b22603e9a385495fbe94700ac36b28e5 Troj.Win32.TRX.XXPE50F13019
ktes.sys 5ed22c0033aed380aa154e672e8db3a2d4c195c4 Troj.Win32.TRX.XXPE50F13019
kt2.sys cb25a5125fb353496b59b910263209f273f3552d Troj.Win32.TRX.XXPE50F13019
ktgn.sys 994e3f5dd082f5d82f9cc84108a60d359910ba79 Rootkit.Win64.POORTRY.A

Hi,

I see that you already have a Sysmon and a Sigma detection files available, I was wondering if you planned to provide a WDAC blocklist, much like the Microsoft recommended WDAC blocklist (cf. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules) ? Or maybe the overlap is already too great to bother with it ?

Thanks ! :)

hey guys! :)

it is more a question than anything else:
which criteria are you guys using to classify a driver as vulnerable or malicious?

in the recently talk by @MHaggis to the SANS DFIR Summit (great one btw 👌) he said "...malicious is something that the adversary created..."
in the same presentation, we can see 2 drivers being mentioned as an example:

but both could do the same nefarious thing (EDR/AV terminator) and the gmer64.sys wasn't created by an adversary, it actually belongs to a tool to detect rootkits (@MHaggis also explained this in the talk)

another odd example that I've recently seen being detected as malicious was wfshbr64.sys 🤔

https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-of-privilege-vulnerabilities/

https://www.virustotal.com/gui/file/0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99/details

In some cases the Microsoft HVCI block list contains SHA384 of signature TBS issuer, would be useful to add that as well in the next version: 41d88e2

I saw @hfiref0x already created another issue. What they did not mention is that their KDU project's README.md contains a whole list of drivers you might be interested in adding to the LOLDrivers (some are not contained yet). See: https://github.com/hfiref0x/KDU

https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/

While investigating the repository, I found a few things that need to be cleaned up.
Based on the data displayed on loldrivers.io:

Duplicate hashes

The listed drivers have the same hash.
In the case of Mhyprot2.sys, the driver is from mhyprot.sys. I have not checked the other examples.

Duplicate tags

In some cases, I found tags that were duplicated, and upon examination, found that they should be listed under "Known Vulnerable Samples" rather than as a single entry. This does not account for all the drivers listed, but I found that sharing them all might be more useful.

Tags

The last thing to mention is the "Category" column.
Here drivers are marked as either: "Malicious, Vulnerable driver, Vulnerable driver". In some cases the singular displays multiple known vulnerable samples, while in other cases the plural contains only one known vulnerable sample.

Question

As for this issue, I'd like to submit some of these changes, but being new to this, the question is where to start.
Would it be enough to edit the corresponding .yml files, or would it be necessary to edit the .md as well? Or what would be the recommended way (besides forking and so on)?

Found news hashes related to hw.sys via Elastic rule Windows_VulnDriver_MarvinHW_37326842

• fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c
• 55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa

In addition to your Sigma and Sysmon detection rules, I made a client that scans the default Windows driver directories (or a specified one), against the checksums of your JSON API. I would appreciate some feedback.

Process killer drivers signed with stolen certificats found on VTE

process_killer.zip

vulnerable versions of the driver can be used to escalate to wintcb PPL, see https://infosec.exchange/@Rairii/109310279380973806

when I was testing, I used the version with SHA256: 2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797
probably many more versions exist

hey guys! :)

I am currently having some troubles to use/import the CSV file obtained from https://www.loldrivers.io/api/drivers.csv because the values are not enclosed within double quotes.

checking other APIs like hijacklibs, abuse.ch and urlhaus I realized that the "standard" is using double quotes.

has anyone faced the same issue?

Two years ago, I started a private repository containing a lot of vulnerable Windows drivers. It was meant to be a side project of mine and never became something similar to LOLDrivers. I thought I could help you with your project by making it publicly accessible https://github.com/VoidSec/VulnerableWindowsDrivers
Most drivers have a corresponding (SHA256) hash, signer, and brief description. Drivers that don’t have a hash appended to their name were “new” and never categorized (e.g. the notorious DELL dbutil_2_3.sys - CVE-2021-21551)

Let me know if there's anything I can help you with :)

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00051.html

Detected file name: Mozglue.dll
Virus Total link: https://www.virustotal.com/gui/file/fede6e1698ffece6eca17f5b14511e027516b6f15917e624e8cdcfac97657ee2
Virus total results: 22/69 -

SHA1: 7b35c543bec4e34c34957ca4a7125789b89ba29d
SHA256: fede6e1698ffece6eca17f5b14511e027516b6f15917e624e8cdcfac97657ee2
MD5: 307e74b730405cede8e39c1139f69650

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376

the bootkit loads the driver into memory itself, the driver is unsigned and never touches disk as plaintext. (3 of the samples listed were uploaded to VT by me after dumping and decrypting them from the blacklotus bootloader samples)

if you really meant to specify "windows boot applications vulnerable to baton drop", you'll be searching for a long time, especially considering MS removed all bootmgr.efi/bootmgfw.efi/hvloader.efi binaries from the symbol server after it was found out that blacklotus installers downloaded them.

Driver's name: procexp152.sys
MD5: AD03F225247B58A57584B40A4D1746D3
SHA-1: e525f54b762c10703c975132e8fc21b6cd88d39b
SHA-256: 59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879

Links: https://malware.news/t/lazarus-group-attack-case-using-vulnerability-of-certificate-software-commonly-used-by-public-institutions-and-universities/67715
https://waawaa.github.io/en/Bypass-PPL-Using-Process-Explorer/

https://www.virustotal.com/gui/file/59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879

samples:
https://www.virustotal.com/gui/file/e8b1a0ddc7a4404eb3c46217e07b5ed91723f44464a6ef589634aeb4fb8f5666
https://www.virustotal.com/gui/file/e3a1f0d967335c8a080a5b1e7e3a06a61f6cea39739cda3ebab11d2908713d80

Seems to be related to capcom.sys (device name is obfuscated, and is Htsysm4EFB)

Opus info says the responsible vendor is "株式会社ＤＮＰハイパーテック" so is probably related to HyperTech DNP CrackProof DRM/PE protector/anti-cheat/anti-tamper solution.

Malicious functionality is a few IOCTLs that give 32-bit read, 32-bit OR, 32-bit bitmask unset (&= ~Value) on an arbitrary (checked to be less than 0x1000) offset of current process EPROCESS object from usermode.

The functionality is gated on also providing 32-bit crypted value (custom algo), of which plaintext is the sum of current process PID and a value initialised to KUSER_SHARED_DATA::SystemTime (another IOCTL passes this value to usermode with no additional checks).

Escalating to protected process is an obvious use case. Probably other privesc is also possible if the driver is already running (not sure if attacker could craft a token object in usermode address space for example).

In large, diverse environments, it is hard for a security team to assess which vulnerable drivers might break production if they are simply blocked or removed.

I just had a discussion with some colleagues and we thought that it would be useful to add information which drivers could be updated automatically to a non-vulnerable version through Windows update mechanisms. Or if the vendor has published a non-vulnerable driver at all.

Apparently, Microsoft has been doing some work in this area, but I don't know if there's a useful API that one could query to automatically retrieve that information.

Surprised to not find this classic here

http://kat.lua.cz/posts/Some_fun_with_vintage_bugs_and_driver_signing_enforcement/

Add driver related to http://rweverything.com/

bundled with chinese application "DrvCeo" is a set of rootkits:

encrypted 7z archive (password: 3BuW!$2PDVP^!Mc9u*AJ3CEasM4JDmgg ) containing the drivers:
https://www.virustotal.com/gui/file/68485b81c96438a821c3a11557ac6551a02e78d7c37152be2c266d2c08955136

drivers themselves:
https://www.virustotal.com/gui/file/55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03
https://www.virustotal.com/gui/file/1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3
https://www.virustotal.com/gui/file/c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633
https://www.virustotal.com/gui/file/f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6
https://www.virustotal.com/gui/file/ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8
https://www.virustotal.com/gui/file/9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504
https://www.virustotal.com/gui/file/3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb
https://www.virustotal.com/gui/file/b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71

the malicious functionality:

• prevents registry value writing where the registry key or value includes "dcprotect" or "drvceo"
• prevents file deletion if pathname contains "driverdownload", "program files\sysceo", "program files (x86)\sysceo"

Hi, we have implemented wdac in our organization based on merging allowall.xml policy and blocking policy for a few specific vendors and products.
We encounter a problem on portableapps.com applications: the setups are indeed blocked but if the application is unpacked, it doesn't matter if I block by the publisher, the hash, the path, the file name, etc., the execution is still allowed.
On the other hand, if my policy is based on merging a scan of the workstation with the blocking policy, everything is blocked.
So the problem would come from the allowall policy?

Another problem, the execution of a specific MSP patch is blocked even if the policy applied on the workstation is only allowall

Hello,

Here is couple of suggestions, my opinion if you don’t mind.

First of all, by bringing such collaborative list you should clearly specify what you mean under term “loldrivers”. Is it legitimate drivers which have some shady functionality? Or it is legitimate driver that turns into hacking tool by a bug? Or legitimate driver that unexpectedly turned into wormhole? Or it is all from above? Your list labelling as loldrivers literally everything – from legitimate bugged drivers to legitimate drivers with shady functionality and even just pure malware drivers signed with leaked certs. You have to distinguish what you want to represent. Malware drivers for example doesn't fit into any possible category of BYOVD which is what you describe as synonim to loldrivers.

If your plan is to organize your list as table, what is a practical purpose of “author”, “created” and “command” columns? “Author” and “created” are meaningless information nobody cares.

When someone looks for list of vulnerable drivers what they want is driver name, driver hash (optionally including Authenticode hash), optionally software name and a direct download link to exact sample.

The “command” column is totally useless and I will explain you why. I do not understand purpose of it. First, there are bunch of drivers that can’t be properly initialized by just creating service entry via executing sc commands. And even more – if you create registry entry with SCM this doesn’t guarantee you that driver you want to load will be accessible after successful load by sc command. That’s because some drivers actually built using driver frameworks that expect more information for proper driver initialization compared to simple legacy WDM stuff. If not initialized they won't create any device objects/symlinks etc, meaning no communication will be available. Second, even if loaded - some drivers will not be accessible without magic tricks which are specific to each sample. For example ENE drivers require caller checks to be passed to open a handle for them, and these checks are different for various versions of the drivers. Without this they will simple sit in kernel memory doing nothing while been inaccessible for user mode requests. Asrock drivers are based on RwEverything which requires IOCTL data to be encrypted with AES, etc. The amount of work required to load and “unlock” such drivers will not fit into any kind of table column.

As of source of this list, I see it incorporates mostly MSFT blocklist, and some of the open source lists available on github, for example from namazso. Okay, but.

There is a general problem with MSFT list. It is clunky and unprofessionally maintained.

From the beginning they started adding too much trash that nobody except MS seen while ignoring popular and widely exposed samples. For example – RTCore from MSI was known to be wormhole few years and they added it into this list just recently after some mass media hysterics. Or Process Explorer driver as another example. What they are doing is constantly adding various trash no one cares from unknowncheats.me and similar game cheat-oriented forums. I understand that signed BlackBone driver used by 100-150 users of unknowncheats exposes a giant THREAT to the MSFT while publically available exploited WHQL’ed drivers from senior hardware vendors are not. Even now they ignore entire set of drivers from some pseudo-ISV companies (one of it perfectly works with HVCI on) and drivers used recently in APT attacks (that even had some CVE numbers assigned) while busy fighting with numerous BEDaisy (BattleEye anticheat) drivers – a fresh upload from lurker on unknowncheats for sure. I’m not even talking about DELL drivers which they still cannot properly insert into their blocklist. Another kind of trash in this list is vulnerable drivers that are just… bugged. They have no value from attacker perspective (exploit primitive doesn’t work in modern Windows versions and this list is not available where this driver works) or when exploiting such drivers will bring too much instability for target system. Not every vulnerable driver is worth exploiting or can be used, it is far from everything. Even CVE id is not guarantee here. For past few years too much trash and noise were created with duplicate CVE describing same bugs with same but differently named drivers (hello winring0/winio). After all of this judging on amount of resources MSFT has - their list is unprofessionally maintained and doesn't worth a cent. So by blindly incorporating everything from this blocklist in yours you are just trashing it.

I’ve no idea how you will maintain this list without doing actual check of every sample you add.

https://www.virustotal.com/gui/file/d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c/details

IIUC, most of the drivers are known to be vulnerable (some are vulnerable, others are malicious), and many do not have CVE IDs. Also it may be a costly manual effort to even figure out if CVE IDs exist.

Feature request: Add an optional CVE ID field to YML-Template.yml. When populated, display the CVE ID in the Description or Resources section of the web page for the specific driver.