drivertool

April 27, 2026 · View on GitHub

DrvEye Logo

drivertool

A static-analysis & exploitation-triage toolkit for Windows kernel drivers.

Answers two questions about any .sys file:

  1. Will this driver actually load on Windows? full Authenticode + WDAC + HVCI policy modelling.
  2. What can it do, and how would I exploit it? IOCTL discovery, taint analysis, exploit-primitive classification, PoC generation.

Built for BYOVD hunters, driver triagers, kernel reverse engineers, and security researchers who want a deep static report on a driver in seconds.


What it tells you

For every driver you point it at:

Load verdict

A per-Windows-configuration matrix not a single yes/no:

─── LOAD VERDICT ───
  Default Win10/11         : WILL LOAD
  Secure Boot + DSE        : WILL LOAD
  HVCI / Memory Integrity  : WILL NOT LOAD
      • FORCE_INTEGRITY flag not set (HVCI requires it)
      • W+X section present (HVCI forbids RWX)
  Test-signing mode        : WILL LOAD
  S Mode                   : WILL NOT LOAD
      • No WHQL attestation EKU

Driven by full Authenticode verification:

  • PKCS#7 signature crypto verify (RSA-PKCS1v15 / ECDSA)
  • Authenticode PE-hash recomputation (catches post-signing tampering)
  • Nested signature parsing (SHA-1 + SHA-256 dual-sign)
  • Counter-signature & RFC 3161 timestamp binding check
  • Live Microsoft trust lists (authroot.stl, disallowedcert.stl, WDAC vulnerable-driver block list)
  • Chain-anchor classification against kernel-trusted roots
  • Grandfathering: SHA-1 cutoff (2015-07-29), cross-sign cutoff (2021-07-01), legacy-TSA acceptance, expired-with-timestamp
  • EKU propagation, kernel-signing EKUs (WHQL attestation, MS System Component, WSVT)
  • Catalog-signing inference for OS-shipped drivers
  • HVCI prerequisite checks (page hashes, EV cert, WHQL EKU)

IOCTL surface

[*] Detected IOCTL codes (32):
    0x7299C008  @0x140004320  (BUFFERED, FILE_READ_WRITE)  → callback removal
                [!!CB REMOVE] [!!DSE RESOLVE] [!!PPL BYPASS] [!!TOKEN STEAL]
                bugs=arbitrary-rw,callback-tamper,toctou-attach,token-theft
                [UNGATED-sink] [shares process-kill-site with 0x7299C00C]

Per IOCTL: handler VA, decoded method/access, purpose, exploit primitives, bug classes, gate state, shared-site convergence, hash-dispatch reversal, FSCTL slot tagging.

Discovery via three independent paths: dispatch-table walk, WDF emulator, brute-force scan. Plus hash-based dispatch reversal (FNV/djb2/CRC32/sdbm) for anti-RE drivers.

Exploit primitives + bug classes

For each handler:

  • Primitives: process-kill, token-steal, ppl-bypass, dse-disable, arb-write, arb-read, physical-rw, msr-rw, callback-removal, etw-disable, process-attach, thread-inject, process-control
  • Bug classes: arbitrary-rw, missing-probe, int-overflow-alloc, double-fetch, toctou-attach, dse-bypass, callback-tamper, token-theft, process-kill, length-bounded, length-unbounded

Classifications gated by a real analysis stack:

  • Per-handler taint (forward, memory, interprocedural via cached function summaries)
  • Backward slicing at every dangerous call site → arg provenance (imm / mem_input_buffer+offset / api_return / etc)
  • Constant propagation + bounds-check inference
  • Basic-block CFG + path-sensitive gate detection (every path passes through SeAccessCheck?)
  • Shared call-site dedup + thin-wrapper detection (one primitive, multiple entry points)
  • EPROCESS semantic field map Token / Protection / SignatureLevel / ImageFilePointer write classification across Win8.1..Win11
  • Tightened double-fetch detector (4-gate: same offset + check-between + no capture API + flow-to-sink)

Device-name recovery

Names recovered via 13+ independent strategies plus a Unicorn-emulated DriverEntry sandbox for runtime-built names:

  • IAT disasm trace · XOR-decoded UNICODE_STRINGs · XMM stack-spill emulator · stack-packed immediates · .data initializers · RtlStringCbPrintfW format templates · registry-service paths · wcscat composition · GUID structures · POBJECT_ATTRIBUTES.ObjectName · dynamic prefix templates · symlink-pair inference · Unicorn DriverEntry emulation

Plus minifilter port detection (FltCreateCommunicationPort).

Generated artifacts

FlagWhat you get
--save-pocsCompilable C DeviceIoControl PoCs per IOCTL
--compileAuto-compile PoCs to .exe (requires MinGW-w64)
--fuzzerPython + C IOCTL fuzzing harness
--tracerRuntime IOCTL behaviour tracer (probes each IOCTL on a live system)
--check-scriptPowerShell driver-status checker (load/unload/event-log inspect)
--ida FILEIDAPython annotation script (severity-prefixed handler names, struct definitions, primitive call-site comments, arg provenance)
--json FILEFull structured analysis output

Quick start

# Analyze a driver
python3 DrvEye.py path/to/driver.sys

# Verbose + save PoCs
python3 DrvEye.py driver.sys -v --save-pocs

# Generate IDAPython annotation script for instant RE acceleration
python3 DrvEye.py driver.sys --ida driver_annotations.py

# Refresh Microsoft policy data + LOLDrivers intel before scanning
python3 DrvEye.py --live-check --loldrivers driver.sys

# Batch multiple drivers in one invocation
python3 DrvEye.py *.sys

# Full power: live data + IDA script + JSON + PoCs + fuzzer
python3 DrvEye.py driver.sys --live-check --loldrivers \
    --json report.json --ida driver.idapy --save-pocs --fuzzer

Installation

Requirements

  • Python 3.9+
  • pefile PE parsing
  • capstone x86-64 disassembly
  • cryptography Authenticode RSA/ECDSA verification
  • unicorn (optional) full-CPU emulation for hardened device-name extraction
  • yara-python (optional) for --save-pocs / --check-script enrichment
pip install pefile capstone cryptography unicorn yara-python

Quick install

git clone https://github.com/0xDbgMan/DrvEye.git
cd drivertool
pip install -r requirements.txt    # if a requirements.txt is provided
python3 DrvEye.py --help

Note: Unicorn is optional. Without it the static device-name recovery still produces results you just lose the emulator fallback for hardened drivers.


CLI reference

usage: DrvEye.py [-h] [--source SOURCE [SOURCE ...]] [--output-dir DIR]
                      [--save-pocs] [--verbose] [--no-color] [--compile]
                      [--device NAME] [--json FILE] [--output FILE]
                      [--fuzzer] [--check-script] [--tracer] [--ida FILE]
                      [--live-check] [--loldrivers] [--no-live-policy]
                      [drivers ...]
FlagDescription
driversOne or more .sys paths to analyze.
--source FILESOptional C/C++ source files to scan alongside the binary.
--output-dir DIRDirectory for generated artifacts (default: pocs_output).
--save-pocsWrite generated PoC scripts to disk.
--verbose, -vShow all findings + entry-point disassembly + extra detail.
--no-colorDisable ANSI color (useful when piping).
--compileAuto-compile generated PoC .c files via MinGW-w64.
--device NAMEOverride device name for PoCs (MyDriver → opens \\.\MyDriver).
--json FILEWrite full analysis results as structured JSON.
--output FILE, -oRedirect human-readable report to file (auto-disables color).
--fuzzerGenerate Python + C IOCTL fuzzing harnesses.
--check-scriptGenerate a PowerShell script to load/unload/check the driver on Windows.
--tracerGenerate a runtime IOCTL tracer (probes each IOCTL on a live target).
--ida FILEEmit an IDAPython script that annotates the driver in IDA Pro.
--live-checkSync MS kernel-trust + cert-revocation + WDAC vulnerable-driver lists from Windows Update (authroot.stl, disallowedcert.stl, SiPolicy_Enforced.p7b).
--loldriversExtend the local known-vulnerable-driver database with feeds from LOLDrivers, Microsoft, MalwareBazaar, Hybrid Analysis, and HEVD.
--no-live-policyIgnore the cached live policy data (use built-in KERNEL_TRUSTED_ROOTS snapshot only).

Live policy data

By default, the tool falls back to ~20 hardcoded Microsoft root-CA thumbprints. With --live-check it pulls the actual current data Windows uses:

  • authroot.stl ~988 trusted root CA thumbprints
  • disallowedcert.stl explicitly distrusted cert thumbprints
  • SiPolicy_Enforced.p7b Microsoft's WDAC vulnerable-driver block list (~889 SHA-1 + ~870 SHA-256 hashes)

--loldrivers adds external community/research feeds (LOLDrivers, MalwareBazaar, Hybrid Analysis, HEVD) into a unified local index.

Caches live under ~/.cache/drivertool/ and persist between runs. Run weekly to stay current.

# One-time refresh ~3-5 seconds, downloads ~350 KB total
python3 DrvEye.py --live-check --loldrivers driver.sys

After the refresh, every subsequent run uses the cached data automatically no need to re-pass the flags.


Output sections

  1. PE summary SHA-256, imphash, architecture, mitigations, version info
  2. Authenticode signature status, primary + nested digest, timestamp, anchor, HVCI prereqs, full chain
  3. Load verdict per-config matrix + blockers + passes + confidence
  4. Imports dangerous functions called by the driver
  5. IOCTL codes every recovered IOCTL with handler VA, purpose, primitives, bug classes, convergence chips
  6. Exploit primitives per-IOCTL primitive list with shared-site VAs
  7. Device access security IoCreateDeviceSecure status, SDDL, exclusivity, symlink reachability, issues
  8. Device names & symbolic links all recovered device paths
  9. Minifilter ports FltCreateCommunicationPort entries (when present)
  10. Registry references keys/values the driver reads
  11. ROP gadgets, exploit chains, taint paths, Z3 solutions extra detail with -v

With --verbose, you also get IRP-handler behavior breakdowns, per-IOCTL recovered input structs, entry-point disassembly, and bug-class taxonomy explanations.


Disclaimer & responsible use

This tool is built for:

  • Legitimate security research, red-team / blue-team operations
  • Driver development and pre-release auditing
  • BYOVD investigation in a defensive context
  • Reverse engineering education and CTF challenges

It is not a malware authoring kit. The PoC / fuzzer / tracer artifacts it generates are stub C/PowerShell harnesses they require a vulnerable driver on the target system and are intended for analysts confirming reproducibility on systems they own or have explicit authorization to test.

You are responsible for ensuring you have authorization to analyze any driver, run any generated PoC, or load any binary onto any system. The authors disclaim liability for misuse.

If you find a vulnerability in a vendor driver, please follow responsible disclosure the project authors actively support that path.


License

MIT see LICENSE.