diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..019b30b --- /dev/null +++ b/.gitignore @@ -0,0 +1,40 @@ + +.vs/CheckDrivers/project-colors.json +.vs/CheckDrivers/v17/.suo +bin/Debug/CheckDrivers.exe +bin/Debug/CheckDrivers.exe.config +bin/Debug/CheckDrivers.pdb +bin/Debug/drivers.json +bin/Debug/System.Diagnostics.DiagnosticSource.dll +bin/x64/Debug/CheckDrivers.exe +bin/x64/Debug/CheckDrivers.exe.config +bin/x64/Debug/CheckDrivers.pdb +bin/x64/Debug/drivers.json +bin/x64/Debug/System.Diagnostics.DiagnosticSource.dll +obj/CheckDrivers.csproj.nuget.dgspec.json +obj/CheckDrivers.csproj.nuget.g.props +obj/CheckDrivers.csproj.nuget.g.targets +obj/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs +obj/Debug/CheckDrivers.csproj.AssemblyReference.cache +obj/Debug/CheckDrivers.csproj.CopyComplete +obj/Debug/CheckDrivers.csproj.CoreCompileInputs.cache +obj/Debug/CheckDrivers.csproj.FileListAbsolute.txt +obj/Debug/CheckDrivers.csproj.Fody.CopyLocal.cache +obj/Debug/CheckDrivers.csproj.Fody.RuntimeCopyLocal.cache +obj/Debug/CheckDrivers.csproj.SuggestedBindingRedirects.cache +obj/Debug/CheckDrivers.exe +obj/Debug/CheckDrivers.pdb +obj/Debug/Costura/1E76E6099570EDE620B76ED47CF8D03A936D49F8.costura.newtonsoft.json.dll.compressed.compressed +obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache +obj/project.assets.json +obj/project.nuget.cache +obj/x64/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs +obj/x64/Debug/CheckDrivers.csproj.CopyComplete +obj/x64/Debug/CheckDrivers.csproj.CoreCompileInputs.cache +obj/x64/Debug/CheckDrivers.csproj.FileListAbsolute.txt +obj/x64/Debug/CheckDrivers.csproj.Fody.CopyLocal.cache +obj/x64/Debug/CheckDrivers.csproj.Fody.RuntimeCopyLocal.cache +obj/x64/Debug/CheckDrivers.csproj.SuggestedBindingRedirects.cache +obj/x64/Debug/CheckDrivers.exe +obj/x64/Debug/CheckDrivers.pdb +obj/x64/Debug/Costura/1E76E6099570EDE620B76ED47CF8D03A936D49F8.costura.newtonsoft.json.dll.compressed.compressed diff --git a/App.config b/App.config index a7490eb..5ffd8f8 100644 --- a/App.config +++ b/App.config @@ -1,6 +1,6 @@ - + diff --git a/CheckDrivers.csproj b/CheckDrivers.csproj index 2c2cdd9..2304d31 100644 --- a/CheckDrivers.csproj +++ b/CheckDrivers.csproj @@ -8,7 +8,7 @@ Exe CheckDrivers CheckDrivers - v4.5.1 + v4.8 512 true true diff --git a/Program.cs b/Program.cs index 01365ba..43d87e1 100644 --- a/Program.cs +++ b/Program.cs @@ -7,11 +7,19 @@ using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text.RegularExpressions; +using System.Threading; namespace CheckDrivers { internal class Program { + public static bool edrfound = false; + public static bool vulndrv = false; + public static bool download = false; + public static bool drvlist = false; + public static bool edrcheck = false; + public static bool compare = false; + [DllImport("psapi")] static extern bool EnumDeviceDrivers([MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)][In][Out] IntPtr[] ddAddresses, UInt32 arraySizeBytes, [MarshalAs(UnmanagedType.U4)] out UInt32 bytesNeeded); @@ -29,7 +37,7 @@ public class KnownVulnerableSamples { [JsonProperty(PropertyName = "Filename")] public string Filename { get; set; } - + [JsonProperty(PropertyName = "SHA256")] public string SHA256 { get; set; } } @@ -45,33 +53,88 @@ private static string GetChecksum(string file) } } - + static void ResetValues() + { + edrfound = false; + vulndrv = false; + download = false; + drvlist = false; + edrcheck = false; + compare = false; + } static void Help() { Console.WriteLine(@"" + - "--dl - Download drivers.json from loldrivers.io\n" + - "--list - Use EnumDeviceDrivers to list current drivers\n" + - "--compare - Compare current drivers with loldrivers.io drivers list\n" + - "--edr - Check if current drivers correspond to known EDR drivers\n" + - "--help, -h - Display help" + + "1. --help, -h - Display help" + + "2. --dl - Download drivers.json from loldrivers.io\n" + + "3. --list - Use EnumDeviceDrivers to list current drivers\n" + + "4. --compare - Compare current drivers with loldrivers.io drivers list\n" + + "5. --edr - Check if current drivers correspond to known EDR drivers\n" + ""); return; } + + static void AttemptDownload() + { + + string uri = "https://www.loldrivers.io/api/drivers.json"; + string filePath = "drivers.json"; + + System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls + | System.Net.SecurityProtocolType.Tls11 + | System.Net.SecurityProtocolType.Tls12; + + using (System.Net.WebClient wc = new System.Net.WebClient()) + { + + // Subscribe to the DownloadFileCompleted event + wc.DownloadFileCompleted += (sender, e) => + { + if (e.Error != null) + { + Console.WriteLine($"[!] Download failed: {e.Error.Message}"); + } + else if (e.Cancelled) + { + Console.WriteLine("[!] Download canceled."); + } + else + { + Console.WriteLine("[+] drivers.json file downloaded successfully."); + Console.WriteLine("Press any key to exit."); + + } + }; + + try + { + // Start the asynchronous download + wc.DownloadFileAsync(new Uri(uri), filePath); + Console.WriteLine("Downloading... Press any key to cancel."); + Console.ReadKey(); // Prevents the application from exiting immediately + } + catch (Exception ex) + { + Console.WriteLine($"[!] An error occurred: {ex.Message}"); + } + } + + } static void Main(string[] args) { - - List edrdrv = new List{ "tbimdsa.sys", "TMEBC64.sys", "tmeyes.sys", "cyvrlpc.sys", "egfilterk.sys", "atc.sys", "vlflt.sys", "csacentr.sys", "csaenh.sys", "csareg.sys", "csascr.sys", "csaav.sys", "csaam.sys", "esensor.sys", "fsgk.sys", "fsatp.sys", "fshs.sys", "eaw.sys", "im.sys", "csagent.sys", "rvsavd.sys", "dgdmk.sys", "atrsdfw.sys", "mbamwatchdog.sys", "edevmon.sys", "SentinelMonitor.sys", "edrsensor.sys", "ehdrv.sys", "HexisFSMonitor.sys", "CyOptics.sys", "CarbonBlackK.sys", "CyProtectDrv32.sys", "CyProtectDrv64.sys", "CRExecPrev.sys", "ssfmonm.sys", "CybKernelTracker.sys", "SAVOnAccess.sys", "savonaccess.sys", "sld.sys", "aswSP.sys", "FeKern.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "mfeaskm.sys", "mfencfilter.sys", "WFP_MRT.sys", "groundling32.sys", "SAFE-Agent.sys", "groundling64.sys", "avgtpx86.sys", "avgtpx64.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter.sys", "symevent.sys", "VirtualAgent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "cfrmd.sys", "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys"}; + + List edrdrv = new List { "tbimdsa.sys", "TMEBC64.sys", "tmeyes.sys", "cyvrlpc.sys", "egfilterk.sys", "atc.sys", "vlflt.sys", "csacentr.sys", "csaenh.sys", "csareg.sys", "csascr.sys", "csaav.sys", "csaam.sys", "esensor.sys", "fsgk.sys", "fsatp.sys", "fshs.sys", "eaw.sys", "im.sys", "csagent.sys", "rvsavd.sys", "dgdmk.sys", "atrsdfw.sys", "mbamwatchdog.sys", "edevmon.sys", "SentinelMonitor.sys", "edrsensor.sys", "ehdrv.sys", "HexisFSMonitor.sys", "CyOptics.sys", "CarbonBlackK.sys", "CyProtectDrv32.sys", "CyProtectDrv64.sys", "CRExecPrev.sys", "ssfmonm.sys", "CybKernelTracker.sys", "SAVOnAccess.sys", "savonaccess.sys", "sld.sys", "aswSP.sys", "FeKern.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "mfeaskm.sys", "mfencfilter.sys", "WFP_MRT.sys", "groundling32.sys", "SAFE-Agent.sys", "groundling64.sys", "avgtpx86.sys", "avgtpx64.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter.sys", "symevent.sys", "VirtualAgent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "cfrmd.sys", "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys" }; List founddrv = new List(); List sha256sum = new List(); System.Text.StringBuilder sb = new System.Text.StringBuilder(1000); uint bytesNeeded = 0; - bool edrfound = false; - bool vulndrv = false; - bool download = false; - bool drvlist = false; - bool edrcheck = false; - bool compare = false; - + Boolean running = true; + bool activeGUI = true; + Console.WriteLine(@" ____ _ _ ____ _ ____ _ _ ___ _ " + "\n" + + @" / ___| |__ ___ ___| | _| _ \ _ __(_)_ _____ _ __ / ___| | | |_ _| __ __/ |" + "\n" + + @" | | | '_ \ / _ \/ __| |/ / | | | '__| \ \ / / _ \ '__| | _| | | || | \ \ / /| |" + "\n" + + @" | |___| | | | __/ (__| <| |_| | | | |\ V / __/ | | |_| | |_| || | \ V / | |" + "\n" + + @" \____|_| |_|\___|\___|_|\_\____/|_| |_| \_/ \___|_| \____|\___/|___| \_/ |_|" + "\n"); foreach (string arg in args) { if (args.Length > 0) @@ -97,283 +160,352 @@ static void Main(string[] args) { compare = true; } + activeGUI = false; } } - if (EnumDeviceDrivers(null, 0, out bytesNeeded)) + + do { - UInt32 arraySize = bytesNeeded / (uint)IntPtr.Size; - UInt32 arraySizeBytes = bytesNeeded; - IntPtr[] ddAddresses = new IntPtr[arraySize]; - List list = new List(); - string diskpath = ""; - EnumDeviceDrivers(ddAddresses, arraySizeBytes, out bytesNeeded); - - for (int i = 0; i < arraySize - 1; i++) + if (activeGUI) { - diskpath = ""; - sb.Clear(); - if (GetDeviceDriverFileNameA(ddAddresses[i], sb, sb.Capacity) > 0) + + + Console.WriteLine( + "\n1. Help\n" + + "2. Download drivers.json from loldrivers.io\n" + + "3. Use EnumDeviceDrivers to list current drivers\n" + + "4. Compare current drivers with loldrivers.io drivers list\n" + + "5. Check if current drivers correspond to known EDR drivers\n" + + "0. Exit Program\n"); + Console.Write("Enter a Digit: "); + int userInput = Convert.ToInt32(Console.ReadLine()); + while (userInput == null || userInput < 0 || userInput > 5) { - - if (sb.ToString().Contains("\\SystemRoot\\")) + Console.WriteLine("Please enter a choice between 0-5"); + userInput = Convert.ToInt32(Console.ReadLine()); + if (userInput >= 0 && userInput <= 5) { - diskpath = sb.ToString().Replace("\\SystemRoot\\", "\\Windows\\"); - founddrv.Add(diskpath); + break; } - if (sb.ToString().Contains("\\??\\")) - { - diskpath = sb.ToString().Replace("\\??\\", ""); - founddrv.Add(diskpath); - } + } + switch (userInput) + { + case 0: + Console.WriteLine("Exiting Program"); + running = false; + return; + case 1: + Help(); + break; + case 2: + download = true; + break; + case 3: + drvlist = true; + break; + case 4: + edrcheck = true; + break; + case 5: + compare = true; + break; + default: + Console.WriteLine("Invalid Choice"); + break; + } } - } - if (drvlist) - { - Console.WriteLine("[-] Listing running drivers.."); - string certname = ""; - foreach (string drv in founddrv) + + if (EnumDeviceDrivers(null, 0, out bytesNeeded)) { - try - { - string cert = X509Certificate.CreateFromSignedFile(drv).GetName(); - var m = Regex.Match(cert, @".*O=(.*?), .*"); - certname = m.Groups[1].Value.Replace('"', ' '); - } - catch + UInt32 arraySize = bytesNeeded / (uint)IntPtr.Size; + UInt32 arraySizeBytes = bytesNeeded; + IntPtr[] ddAddresses = new IntPtr[arraySize]; + List list = new List(); + string diskpath = ""; + EnumDeviceDrivers(ddAddresses, arraySizeBytes, out bytesNeeded); + + for (int i = 0; i < arraySize - 1; i++) { - continue; - } + diskpath = ""; + sb.Clear(); + if (GetDeviceDriverFileNameA(ddAddresses[i], sb, sb.Capacity) > 0) + { - Console.WriteLine("C:\\" + drv + " (" + certname + ")"); + if (sb.ToString().Contains("\\SystemRoot\\")) + { + diskpath = sb.ToString().Replace("\\SystemRoot\\", "\\Windows\\"); + founddrv.Add(diskpath); + } + if (sb.ToString().Contains("\\??\\")) + { + diskpath = sb.ToString().Replace("\\??\\", ""); + founddrv.Add(diskpath); + } + } + } } - } - if (compare) - { - Console.WriteLine("[-] Check for vuln drivers from loldrivers.io.."); - if (download) + + if (drvlist) { - using (System.Net.WebClient wc = new System.Net.WebClient()) + Console.WriteLine("[-] Listing running drivers.."); + string certname = ""; + foreach (string drv in founddrv) { - string Uri = "https://www.loldrivers.io/api/drivers.json"; - System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Ssl3; - wc.DownloadFile(Uri, "drivers.json"); - Console.WriteLine("[+] drivers.json file downloaded"); - } - } + try + { + string cert = X509Certificate.CreateFromSignedFile(drv).GetName(); + var m = Regex.Match(cert, @".*O=(.*?), .*"); + certname = m.Groups[1].Value.Replace('"', ' '); + } + catch + { + continue; + } + Console.WriteLine(drv + " (" + certname + ")"); + } - List drvobj = null; - try - { - drvobj = JsonConvert.DeserializeObject>(File.ReadAllText("drivers.json")); } - catch (FileNotFoundException) + if (download) { - Console.WriteLine("[!] drivers.json file not found! try with --dl"); - return; + AttemptDownload(); } - List tmp = new List(); - foreach (JSONDrivers drv in drvobj) + if (compare) { - foreach (KnownVulnerableSamples item in drv.KnownVulnerableSamples) + Console.WriteLine("[-] Check for vuln drivers from loldrivers.io.."); + + if (!File.Exists("./drivers.json")) { - if (item.SHA256 != null) - tmp.Add(item.SHA256); + AttemptDownload(); } - } - sha256sum = tmp.Distinct().ToList(); - if (sha256sum.Count > 0 && founddrv.Count > 0) - { - Console.WriteLine("\nChecking for vuln driver SHA256 checksum.."); - foreach (string drv in founddrv) + List drvobj = null; + try { - if (drv.EndsWith(".sys")) + drvobj = JsonConvert.DeserializeObject>(File.ReadAllText("drivers.json")); + } + catch (FileNotFoundException) + { + Console.WriteLine("[!] drivers.json file not found! try with --dl"); + return; + } + + List tmp = new List(); + foreach (JSONDrivers drv in drvobj) + { + foreach (KnownVulnerableSamples item in drv.KnownVulnerableSamples) { - try + if (item.SHA256 != null) + tmp.Add(item.SHA256); + } + } + + sha256sum = tmp.Distinct().ToList(); + if (sha256sum.Count > 0 && founddrv.Count > 0) + { + Console.WriteLine("\nChecking for vuln driver SHA256 checksum.."); + foreach (string drv in founddrv) + { + // drv cannot be changed since its the iterator + String tmpDrv = drv; + if (drv.EndsWith(".sys")) { - string CS = GetChecksum(drv); - if (sha256sum.Contains(CS)) + try { - vulndrv = true; - Console.WriteLine($"[+] FOUND VULNERABLE DRIVER : {drv} ({CS})"); + // Adds C: to search in the correct drivers in the window Windows incase if program is running in another drive + // for example E: D: F + if (drv.StartsWith("\\")) + { + tmpDrv = "C:" + drv; + } + string CS = GetChecksum(tmpDrv); + if (sha256sum.Contains(CS)) + { + vulndrv = true; + Console.WriteLine($"[+] FOUND VULNERABLE DRIVER : {tmpDrv} ({CS})"); + } + } + catch (FileNotFoundException) + { + Console.WriteLine("File not found " + tmpDrv); + continue; + } + catch (UnauthorizedAccessException) + { + Console.WriteLine("File access denied " + tmpDrv); + continue; } } - catch (FileNotFoundException) - { - Console.WriteLine("File not found " + drv); - continue; - } - catch (UnauthorizedAccessException) - { - Console.WriteLine("File access denied " + drv); - continue; - } - } - } + } - if (!vulndrv) - { - Console.WriteLine("[+] No known vulnerable driver found."); + if (!vulndrv) + { + Console.WriteLine("[+] No known vulnerable driver found."); + } } } - } - if (edrcheck) - { - Console.WriteLine("[-] Checking for known EDR drivers.."); - foreach (string drv in founddrv) + if (edrcheck) { - string drvbasename = drv.Split('\\').Last(); - - if (edrdrv.Any(x => x.Equals(drvbasename, StringComparison.OrdinalIgnoreCase))) + Console.WriteLine("[-] Checking for known EDR drivers.."); + foreach (string drv in founddrv) { - edrfound = true; + string drvbasename = drv.Split('\\').Last(); - if ("tbimdsa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "tmeyes.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "TMEBC64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + if (edrdrv.Any(x => x.Equals(drvbasename, StringComparison.OrdinalIgnoreCase))) { - Console.WriteLine("TrendMicro drivers Found! (" + drvbasename + ")"); - } - if ("cyvrlpc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Cortex XDR Found! (" + drvbasename + ")"); - } - if ("FeKern.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "WFP_MRT.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("FireEye Found! (" + drvbasename + ")"); - } - if ("eaw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Raytheon Cyber Solutions Found! (" + drvbasename + ")"); - } - if ("rvsavd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("CJSC Returnil Software Found! (" + drvbasename + ")"); - } - if ("dgdmk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Verdasys Inc. Found! (" + drvbasename + ")"); - } - if ("atrsdfw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Altiris (Symantec) Found! (" + drvbasename + ")"); - } - if ("mbamwatchdog.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Malwarebytes Found! (" + drvbasename + ")"); - } - if ("edevmon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ehdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("ESET Found! (" + drvbasename + ")"); - } - if ("SentinelMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("SentinelOne Found! (" + drvbasename + ")"); - } - if ("edrsensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("BitDefender SRL Found! (" + drvbasename + ")"); - } - if ("atc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "egfilterk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vlflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("TEHTRIS XDR Found! (" + drvbasename + ")"); - } - if ("HexisFSMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Hexis Cyber Solutions Found! (" + drvbasename + ")"); - } - if ("CyOptics.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv64.sys.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Cylance Inc. Found! (" + drvbasename + ")"); - } - if ("aswSP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Avast Found! (" + drvbasename + ")"); - } - if ("mfeaskm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "mfencfilter.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("McAfee Found! (" + drvbasename + ")"); - } - if ("groundling32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "groundling64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Dell Secureworks Found! (" + drvbasename + ")"); - } - if ("avgtpx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "avgtpx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("AVG Technologies Found! (" + drvbasename + ")"); - } - if ("pgpwdefs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEProtection.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "diflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sysMon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ssrfsf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "emxdrv2.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "reghook.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "spbbcdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SISIPSFileFilter".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symevent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vxfsrep.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VirtFile.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymAFR.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefasi.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymHsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "evmf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEFCMP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VFSEnc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "pgpfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fencry.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symrg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Symantec Found! (" + drvbasename + ")"); - } - if ("SAFE-Agent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("SAFE-Cyberdefense Found! (" + drvbasename + ")"); - } - if ("CybKernelTracker.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("CyberArk Software Found! (" + drvbasename + ")"); - } - if ("klifks.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "klifaa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "Klifsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Kaspersky Found! (" + drvbasename + ")"); - } - if ("SAVOnAccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "savonaccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sld.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Sophos Found! (" + drvbasename + ")"); - } - if ("ssfmonm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Webroot Software, Inc. Found! (" + drvbasename + ")"); - } - if ("CarbonBlackK.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Carbon Black Found! (" + drvbasename + ")"); - } - if ("CRExecPrev.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Cybereason Found! (" + drvbasename + ")"); - } - if ("im.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csagent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("CrowdStrike Found! (" + drvbasename + ")"); - } - if ("cfrmd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdccav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdguard.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CmdMnEfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "MyDLPMF.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Comodo Security Solutions Found! (" + drvbasename + ")"); - } - if ("PSINPROC.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "PSINFILE.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amfsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm8660.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm6460.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Panda Security Found! (" + drvbasename + ")"); - } - if ("fsgk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fsatp.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fshs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("F-Secure Found! (" + drvbasename + ")"); - } - if ("esensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Endgame Found! (" + drvbasename + ")"); - } - if ("csacentr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaenh.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csareg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csascr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaam.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Cisco Found! (" + drvbasename + ")"); + edrfound = true; + + if ("tbimdsa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "tmeyes.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "TMEBC64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("TrendMicro drivers Found! (" + drvbasename + ")"); + } + if ("cyvrlpc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cortex XDR Found! (" + drvbasename + ")"); + } + if ("FeKern.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "WFP_MRT.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("FireEye Found! (" + drvbasename + ")"); + } + if ("eaw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Raytheon Cyber Solutions Found! (" + drvbasename + ")"); + } + if ("rvsavd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("CJSC Returnil Software Found! (" + drvbasename + ")"); + } + if ("dgdmk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Verdasys Inc. Found! (" + drvbasename + ")"); + } + if ("atrsdfw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Altiris (Symantec) Found! (" + drvbasename + ")"); + } + if ("mbamwatchdog.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Malwarebytes Found! (" + drvbasename + ")"); + } + if ("edevmon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ehdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("ESET Found! (" + drvbasename + ")"); + } + if ("SentinelMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("SentinelOne Found! (" + drvbasename + ")"); + } + if ("edrsensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("BitDefender SRL Found! (" + drvbasename + ")"); + } + if ("atc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "egfilterk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vlflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("TEHTRIS XDR Found! (" + drvbasename + ")"); + } + if ("HexisFSMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Hexis Cyber Solutions Found! (" + drvbasename + ")"); + } + if ("CyOptics.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv64.sys.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cylance Inc. Found! (" + drvbasename + ")"); + } + if ("aswSP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Avast Found! (" + drvbasename + ")"); + } + if ("mfeaskm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "mfencfilter.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("McAfee Found! (" + drvbasename + ")"); + } + if ("groundling32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "groundling64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Dell Secureworks Found! (" + drvbasename + ")"); + } + if ("avgtpx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "avgtpx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("AVG Technologies Found! (" + drvbasename + ")"); + } + if ("pgpwdefs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEProtection.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "diflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sysMon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ssrfsf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "emxdrv2.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "reghook.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "spbbcdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SISIPSFileFilter".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symevent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vxfsrep.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VirtFile.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymAFR.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefasi.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymHsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "evmf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEFCMP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VFSEnc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "pgpfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fencry.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symrg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Symantec Found! (" + drvbasename + ")"); + } + if ("SAFE-Agent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("SAFE-Cyberdefense Found! (" + drvbasename + ")"); + } + if ("CybKernelTracker.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("CyberArk Software Found! (" + drvbasename + ")"); + } + if ("klifks.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "klifaa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "Klifsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Kaspersky Found! (" + drvbasename + ")"); + } + if ("SAVOnAccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "savonaccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sld.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Sophos Found! (" + drvbasename + ")"); + } + if ("ssfmonm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Webroot Software, Inc. Found! (" + drvbasename + ")"); + } + if ("CarbonBlackK.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Carbon Black Found! (" + drvbasename + ")"); + } + if ("CRExecPrev.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cybereason Found! (" + drvbasename + ")"); + } + if ("im.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csagent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("CrowdStrike Found! (" + drvbasename + ")"); + } + if ("cfrmd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdccav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdguard.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CmdMnEfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "MyDLPMF.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Comodo Security Solutions Found! (" + drvbasename + ")"); + } + if ("PSINPROC.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "PSINFILE.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amfsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm8660.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm6460.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Panda Security Found! (" + drvbasename + ")"); + } + if ("fsgk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fsatp.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fshs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("F-Secure Found! (" + drvbasename + ")"); + } + if ("esensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Endgame Found! (" + drvbasename + ")"); + } + if ("csacentr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaenh.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csareg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csascr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaam.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cisco Found! (" + drvbasename + ")"); + } } } - } - if (!edrfound) + if (!edrfound) + { + Console.WriteLine("[+] No EDR driver Found!"); + } + } + ResetValues(); + if(args.Length > 0) { - Console.WriteLine("[+] No EDR driver Found!"); + running = false; } - } + } while (running); return; }