From 2cafa83f9c2e7d9215ddaeaad749554b7bb25af5 Mon Sep 17 00:00:00 2001 From: Andriani Date: Wed, 27 Nov 2024 20:06:13 -0500 Subject: [PATCH 1/5] Update Target Framework to 4.8 --- App.config | 2 +- CheckDrivers.csproj | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/App.config b/App.config index a7490eb..5ffd8f8 100644 --- a/App.config +++ b/App.config @@ -1,6 +1,6 @@ - + diff --git a/CheckDrivers.csproj b/CheckDrivers.csproj index 2c2cdd9..2304d31 100644 --- a/CheckDrivers.csproj +++ b/CheckDrivers.csproj @@ -8,7 +8,7 @@ Exe CheckDrivers CheckDrivers - v4.5.1 + v4.8 512 true true From 5831c7c6e36f8d5dc27d0d4da8855a5e1961bfd2 Mon Sep 17 00:00:00 2001 From: Andriani Date: Wed, 27 Nov 2024 20:20:58 -0500 Subject: [PATCH 2/5] Add GUI and Bug Fixes - Adds a GUI if exe is opened not using terminal - Allows for all options to be used without program returning - Fixed bug that caused files in the \Windows directory not to be found if the exe was located in a non C: drive. --- Program.cs | 572 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 327 insertions(+), 245 deletions(-) diff --git a/Program.cs b/Program.cs index 01365ba..9867a5f 100644 --- a/Program.cs +++ b/Program.cs @@ -7,11 +7,19 @@ using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text.RegularExpressions; +using System.Threading; namespace CheckDrivers { internal class Program { + public static bool edrfound = false; + public static bool vulndrv = false; + public static bool download = false; + public static bool drvlist = false; + public static bool edrcheck = false; + public static bool compare = false; + [DllImport("psapi")] static extern bool EnumDeviceDrivers([MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)][In][Out] IntPtr[] ddAddresses, UInt32 arraySizeBytes, [MarshalAs(UnmanagedType.U4)] out UInt32 bytesNeeded); @@ -29,7 +37,7 @@ public class KnownVulnerableSamples { [JsonProperty(PropertyName = "Filename")] public string Filename { get; set; } - + [JsonProperty(PropertyName = "SHA256")] public string SHA256 { get; set; } } @@ -45,33 +53,41 @@ private static string GetChecksum(string file) } } - + static void ResetValues() + { + edrfound = false; + vulndrv = false; + download = false; + drvlist = false; + edrcheck = false; + compare = false; + } static void Help() { Console.WriteLine(@"" + - "--dl - Download drivers.json from loldrivers.io\n" + - "--list - Use EnumDeviceDrivers to list current drivers\n" + - "--compare - Compare current drivers with loldrivers.io drivers list\n" + - "--edr - Check if current drivers correspond to known EDR drivers\n" + - "--help, -h - Display help" + + "1. --help, -h - Display help" + + "2. --dl - Download drivers.json from loldrivers.io\n" + + "3. --list - Use EnumDeviceDrivers to list current drivers\n" + + "4. --compare - Compare current drivers with loldrivers.io drivers list\n" + + "5. --edr - Check if current drivers correspond to known EDR drivers\n" + ""); return; } static void Main(string[] args) { - - List edrdrv = new List{ "tbimdsa.sys", "TMEBC64.sys", "tmeyes.sys", "cyvrlpc.sys", "egfilterk.sys", "atc.sys", "vlflt.sys", "csacentr.sys", "csaenh.sys", "csareg.sys", "csascr.sys", "csaav.sys", "csaam.sys", "esensor.sys", "fsgk.sys", "fsatp.sys", "fshs.sys", "eaw.sys", "im.sys", "csagent.sys", "rvsavd.sys", "dgdmk.sys", "atrsdfw.sys", "mbamwatchdog.sys", "edevmon.sys", "SentinelMonitor.sys", "edrsensor.sys", "ehdrv.sys", "HexisFSMonitor.sys", "CyOptics.sys", "CarbonBlackK.sys", "CyProtectDrv32.sys", "CyProtectDrv64.sys", "CRExecPrev.sys", "ssfmonm.sys", "CybKernelTracker.sys", "SAVOnAccess.sys", "savonaccess.sys", "sld.sys", "aswSP.sys", "FeKern.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "mfeaskm.sys", "mfencfilter.sys", "WFP_MRT.sys", "groundling32.sys", "SAFE-Agent.sys", "groundling64.sys", "avgtpx86.sys", "avgtpx64.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter.sys", "symevent.sys", "VirtualAgent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "cfrmd.sys", "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys"}; + + List edrdrv = new List { "tbimdsa.sys", "TMEBC64.sys", "tmeyes.sys", "cyvrlpc.sys", "egfilterk.sys", "atc.sys", "vlflt.sys", "csacentr.sys", "csaenh.sys", "csareg.sys", "csascr.sys", "csaav.sys", "csaam.sys", "esensor.sys", "fsgk.sys", "fsatp.sys", "fshs.sys", "eaw.sys", "im.sys", "csagent.sys", "rvsavd.sys", "dgdmk.sys", "atrsdfw.sys", "mbamwatchdog.sys", "edevmon.sys", "SentinelMonitor.sys", "edrsensor.sys", "ehdrv.sys", "HexisFSMonitor.sys", "CyOptics.sys", "CarbonBlackK.sys", "CyProtectDrv32.sys", "CyProtectDrv64.sys", "CRExecPrev.sys", "ssfmonm.sys", "CybKernelTracker.sys", "SAVOnAccess.sys", "savonaccess.sys", "sld.sys", "aswSP.sys", "FeKern.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "mfeaskm.sys", "mfencfilter.sys", "WFP_MRT.sys", "groundling32.sys", "SAFE-Agent.sys", "groundling64.sys", "avgtpx86.sys", "avgtpx64.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter.sys", "symevent.sys", "VirtualAgent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "cfrmd.sys", "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys" }; List founddrv = new List(); List sha256sum = new List(); System.Text.StringBuilder sb = new System.Text.StringBuilder(1000); uint bytesNeeded = 0; - bool edrfound = false; - bool vulndrv = false; - bool download = false; - bool drvlist = false; - bool edrcheck = false; - bool compare = false; - + Boolean running = true; + bool activeGUI = true; + Console.WriteLine(@" ____ _ _ ____ _ ____ _ _ ___ _ " + "\n" + + @" / ___| |__ ___ ___| | _| _ \ _ __(_)_ _____ _ __ / ___| | | |_ _| __ __/ |" + "\n" + + @" | | | '_ \ / _ \/ __| |/ / | | | '__| \ \ / / _ \ '__| | _| | | || | \ \ / /| |" + "\n" + + @" | |___| | | | __/ (__| <| |_| | | | |\ V / __/ | | |_| | |_| || | \ V / | |" + "\n" + + @" \____|_| |_|\___|\___|_|\_\____/|_| |_| \_/ \___|_| \____|\___/|___| \_/ |_|" + "\n"); foreach (string arg in args) { if (args.Length > 0) @@ -97,283 +113,349 @@ static void Main(string[] args) { compare = true; } + activeGUI = false; } } - if (EnumDeviceDrivers(null, 0, out bytesNeeded)) + + do { - UInt32 arraySize = bytesNeeded / (uint)IntPtr.Size; - UInt32 arraySizeBytes = bytesNeeded; - IntPtr[] ddAddresses = new IntPtr[arraySize]; - List list = new List(); - string diskpath = ""; - EnumDeviceDrivers(ddAddresses, arraySizeBytes, out bytesNeeded); - - for (int i = 0; i < arraySize - 1; i++) + + if (activeGUI) { - diskpath = ""; - sb.Clear(); - if (GetDeviceDriverFileNameA(ddAddresses[i], sb, sb.Capacity) > 0) + + ResetValues(); // Prevents from other functions being ran again after its been called the first time. + Console.WriteLine( + "\n1. Help\n" + + "2. Download drivers.json from loldrivers.io\n" + + "3. Use EnumDeviceDrivers to list current drivers\n" + + "4. Compare current drivers with loldrivers.io drivers list\n" + + "5. Check if current drivers correspond to known EDR drivers\n" + + "0. Exit Program\n"); + Console.Write("Enter a Digit: "); + int userInput = Convert.ToInt32(Console.ReadLine()); + while (userInput == null || userInput < 0 || userInput > 5) { - - if (sb.ToString().Contains("\\SystemRoot\\")) + Console.WriteLine("Please enter a choice between 0-5"); + userInput = Convert.ToInt32(Console.ReadLine()); + if (userInput >= 0 && userInput <= 5) { - diskpath = sb.ToString().Replace("\\SystemRoot\\", "\\Windows\\"); - founddrv.Add(diskpath); + break; } - if (sb.ToString().Contains("\\??\\")) - { - diskpath = sb.ToString().Replace("\\??\\", ""); - founddrv.Add(diskpath); - } - } - } - } - - - if (drvlist) - { - Console.WriteLine("[-] Listing running drivers.."); - string certname = ""; - foreach (string drv in founddrv) - { - try - { - string cert = X509Certificate.CreateFromSignedFile(drv).GetName(); - var m = Regex.Match(cert, @".*O=(.*?), .*"); - certname = m.Groups[1].Value.Replace('"', ' '); } - catch + switch (userInput) { - continue; - } - - Console.WriteLine("C:\\" + drv + " (" + certname + ")"); - } - } + case 0: + Console.WriteLine("Exiting Program"); + running = false; + return; + case 1: + Help(); + break; + case 2: + download = true; + break; + case 3: + drvlist = true; + break; + case 4: + edrcheck = true; + break; + case 5: + compare = true; + break; + default: + Console.WriteLine("Invalid Choice"); + break; - if (compare) - { - Console.WriteLine("[-] Check for vuln drivers from loldrivers.io.."); - if (download) - { - using (System.Net.WebClient wc = new System.Net.WebClient()) - { - string Uri = "https://www.loldrivers.io/api/drivers.json"; - System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Ssl3; - wc.DownloadFile(Uri, "drivers.json"); - Console.WriteLine("[+] drivers.json file downloaded"); } } - List drvobj = null; - try - { - drvobj = JsonConvert.DeserializeObject>(File.ReadAllText("drivers.json")); - } - catch (FileNotFoundException) - { - Console.WriteLine("[!] drivers.json file not found! try with --dl"); - return; - } - List tmp = new List(); - foreach (JSONDrivers drv in drvobj) + if (EnumDeviceDrivers(null, 0, out bytesNeeded)) { - foreach (KnownVulnerableSamples item in drv.KnownVulnerableSamples) - { - if (item.SHA256 != null) - tmp.Add(item.SHA256); - } - } + UInt32 arraySize = bytesNeeded / (uint)IntPtr.Size; + UInt32 arraySizeBytes = bytesNeeded; + IntPtr[] ddAddresses = new IntPtr[arraySize]; + List list = new List(); + string diskpath = ""; + EnumDeviceDrivers(ddAddresses, arraySizeBytes, out bytesNeeded); - sha256sum = tmp.Distinct().ToList(); - if (sha256sum.Count > 0 && founddrv.Count > 0) - { - Console.WriteLine("\nChecking for vuln driver SHA256 checksum.."); - foreach (string drv in founddrv) + for (int i = 0; i < arraySize - 1; i++) { - if (drv.EndsWith(".sys")) + diskpath = ""; + sb.Clear(); + if (GetDeviceDriverFileNameA(ddAddresses[i], sb, sb.Capacity) > 0) { - try - { - string CS = GetChecksum(drv); - if (sha256sum.Contains(CS)) - { - vulndrv = true; - Console.WriteLine($"[+] FOUND VULNERABLE DRIVER : {drv} ({CS})"); - } - } - catch (FileNotFoundException) + + if (sb.ToString().Contains("\\SystemRoot\\")) { - Console.WriteLine("File not found " + drv); - continue; + diskpath = sb.ToString().Replace("\\SystemRoot\\", "\\Windows\\"); + founddrv.Add(diskpath); } - catch (UnauthorizedAccessException) + if (sb.ToString().Contains("\\??\\")) { - Console.WriteLine("File access denied " + drv); - continue; + diskpath = sb.ToString().Replace("\\??\\", ""); + founddrv.Add(diskpath); } } - - } - - if (!vulndrv) - { - Console.WriteLine("[+] No known vulnerable driver found."); } } - } - if (edrcheck) - { - Console.WriteLine("[-] Checking for known EDR drivers.."); - foreach (string drv in founddrv) + if (drvlist) { - string drvbasename = drv.Split('\\').Last(); - - if (edrdrv.Any(x => x.Equals(drvbasename, StringComparison.OrdinalIgnoreCase))) + Console.WriteLine("[-] Listing running drivers.."); + string certname = ""; + foreach (string drv in founddrv) { - edrfound = true; - - if ("tbimdsa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "tmeyes.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "TMEBC64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("TrendMicro drivers Found! (" + drvbasename + ")"); - } - if ("cyvrlpc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + try { - Console.WriteLine("Cortex XDR Found! (" + drvbasename + ")"); + string cert = X509Certificate.CreateFromSignedFile(drv).GetName(); + var m = Regex.Match(cert, @".*O=(.*?), .*"); + certname = m.Groups[1].Value.Replace('"', ' '); } - if ("FeKern.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "WFP_MRT.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + catch { - Console.WriteLine("FireEye Found! (" + drvbasename + ")"); + continue; } - if ("eaw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Raytheon Cyber Solutions Found! (" + drvbasename + ")"); - } - if ("rvsavd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("CJSC Returnil Software Found! (" + drvbasename + ")"); - } - if ("dgdmk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Verdasys Inc. Found! (" + drvbasename + ")"); - } - if ("atrsdfw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Altiris (Symantec) Found! (" + drvbasename + ")"); - } - if ("mbamwatchdog.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Malwarebytes Found! (" + drvbasename + ")"); - } - if ("edevmon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ehdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("ESET Found! (" + drvbasename + ")"); - } - if ("SentinelMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("SentinelOne Found! (" + drvbasename + ")"); - } - if ("edrsensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("BitDefender SRL Found! (" + drvbasename + ")"); - } - if ("atc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "egfilterk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vlflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("TEHTRIS XDR Found! (" + drvbasename + ")"); - } - if ("HexisFSMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Hexis Cyber Solutions Found! (" + drvbasename + ")"); - } - if ("CyOptics.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv64.sys.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Cylance Inc. Found! (" + drvbasename + ")"); - } - if ("aswSP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Avast Found! (" + drvbasename + ")"); - } - if ("mfeaskm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "mfencfilter.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("McAfee Found! (" + drvbasename + ")"); - } - if ("groundling32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "groundling64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Dell Secureworks Found! (" + drvbasename + ")"); - } - if ("avgtpx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "avgtpx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("AVG Technologies Found! (" + drvbasename + ")"); - } - if ("pgpwdefs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEProtection.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "diflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sysMon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ssrfsf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "emxdrv2.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "reghook.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "spbbcdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SISIPSFileFilter".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symevent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vxfsrep.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VirtFile.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymAFR.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefasi.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymHsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "evmf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEFCMP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VFSEnc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "pgpfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fencry.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symrg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Symantec Found! (" + drvbasename + ")"); - } - if ("SAFE-Agent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("SAFE-Cyberdefense Found! (" + drvbasename + ")"); - } - if ("CybKernelTracker.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("CyberArk Software Found! (" + drvbasename + ")"); - } - if ("klifks.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "klifaa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "Klifsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Kaspersky Found! (" + drvbasename + ")"); - } - if ("SAVOnAccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "savonaccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sld.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Sophos Found! (" + drvbasename + ")"); - } - if ("ssfmonm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Webroot Software, Inc. Found! (" + drvbasename + ")"); - } - if ("CarbonBlackK.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Carbon Black Found! (" + drvbasename + ")"); - } - if ("CRExecPrev.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Cybereason Found! (" + drvbasename + ")"); - } - if ("im.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csagent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("CrowdStrike Found! (" + drvbasename + ")"); - } - if ("cfrmd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdccav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdguard.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CmdMnEfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "MyDLPMF.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) - { - Console.WriteLine("Comodo Security Solutions Found! (" + drvbasename + ")"); - } - if ("PSINPROC.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "PSINFILE.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amfsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm8660.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm6460.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + + Console.WriteLine(drv + " (" + certname + ")"); + } + } + + if (compare) + { + Console.WriteLine("[-] Check for vuln drivers from loldrivers.io.."); + if (download) + { + using (System.Net.WebClient wc = new System.Net.WebClient()) { - Console.WriteLine("Panda Security Found! (" + drvbasename + ")"); + string Uri = "https://www.loldrivers.io/api/drivers.json"; + System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Ssl3; + wc.DownloadFile(Uri, "drivers.json"); + Console.WriteLine("[+] drivers.json file downloaded"); } - if ("fsgk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fsatp.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fshs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + } + + + List drvobj = null; + try + { + drvobj = JsonConvert.DeserializeObject>(File.ReadAllText("drivers.json")); + } + catch (FileNotFoundException) + { + Console.WriteLine("[!] drivers.json file not found! try with --dl"); + return; + } + + List tmp = new List(); + foreach (JSONDrivers drv in drvobj) + { + foreach (KnownVulnerableSamples item in drv.KnownVulnerableSamples) { - Console.WriteLine("F-Secure Found! (" + drvbasename + ")"); + if (item.SHA256 != null) + tmp.Add(item.SHA256); } - if ("esensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + } + + sha256sum = tmp.Distinct().ToList(); + if (sha256sum.Count > 0 && founddrv.Count > 0) + { + Console.WriteLine("\nChecking for vuln driver SHA256 checksum.."); + foreach (string drv in founddrv) { - Console.WriteLine("Endgame Found! (" + drvbasename + ")"); + // drv cannot be changed since its the iterator + String tmpDrv = drv; + if (drv.EndsWith(".sys")) + { + try + { + // Adds C: to search in the correct drivers in the window Windows incase if program is running in another drive + // for example E: D: F + if (drv.StartsWith("\\")) + { + tmpDrv = "C:" + drv; + } + string CS = GetChecksum(tmpDrv); + if (sha256sum.Contains(CS)) + { + vulndrv = true; + Console.WriteLine($"[+] FOUND VULNERABLE DRIVER : {tmpDrv} ({CS})"); + } + } + catch (FileNotFoundException) + { + Console.WriteLine("File not found " + tmpDrv); + continue; + } + catch (UnauthorizedAccessException) + { + Console.WriteLine("File access denied " + tmpDrv); + continue; + } + } + } - if ("csacentr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaenh.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csareg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csascr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaam.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + + if (!vulndrv) { - Console.WriteLine("Cisco Found! (" + drvbasename + ")"); + Console.WriteLine("[+] No known vulnerable driver found."); } } } - if (!edrfound) + + if (edrcheck) { - Console.WriteLine("[+] No EDR driver Found!"); + Console.WriteLine("[-] Checking for known EDR drivers.."); + foreach (string drv in founddrv) + { + string drvbasename = drv.Split('\\').Last(); + + if (edrdrv.Any(x => x.Equals(drvbasename, StringComparison.OrdinalIgnoreCase))) + { + edrfound = true; + + if ("tbimdsa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "tmeyes.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "TMEBC64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("TrendMicro drivers Found! (" + drvbasename + ")"); + } + if ("cyvrlpc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cortex XDR Found! (" + drvbasename + ")"); + } + if ("FeKern.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "WFP_MRT.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("FireEye Found! (" + drvbasename + ")"); + } + if ("eaw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Raytheon Cyber Solutions Found! (" + drvbasename + ")"); + } + if ("rvsavd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("CJSC Returnil Software Found! (" + drvbasename + ")"); + } + if ("dgdmk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Verdasys Inc. Found! (" + drvbasename + ")"); + } + if ("atrsdfw.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Altiris (Symantec) Found! (" + drvbasename + ")"); + } + if ("mbamwatchdog.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Malwarebytes Found! (" + drvbasename + ")"); + } + if ("edevmon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ehdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("ESET Found! (" + drvbasename + ")"); + } + if ("SentinelMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("SentinelOne Found! (" + drvbasename + ")"); + } + if ("edrsensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("BitDefender SRL Found! (" + drvbasename + ")"); + } + if ("atc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "egfilterk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vlflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("TEHTRIS XDR Found! (" + drvbasename + ")"); + } + if ("HexisFSMonitor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Hexis Cyber Solutions Found! (" + drvbasename + ")"); + } + if ("CyOptics.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CyProtectDrv64.sys.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cylance Inc. Found! (" + drvbasename + ")"); + } + if ("aswSP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Avast Found! (" + drvbasename + ")"); + } + if ("mfeaskm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "mfencfilter.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("McAfee Found! (" + drvbasename + ")"); + } + if ("groundling32.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "groundling64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Dell Secureworks Found! (" + drvbasename + ")"); + } + if ("avgtpx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "avgtpx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("AVG Technologies Found! (" + drvbasename + ")"); + } + if ("pgpwdefs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEProtection.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "diflt.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sysMon.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "ssrfsf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "emxdrv2.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "reghook.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "spbbcdrv.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx86.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "bhdrvx64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SISIPSFileFilter".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symevent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "vxfsrep.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VirtFile.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymAFR.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefasi.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symefa64.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "SymHsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "evmf.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "GEFCMP.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "VFSEnc.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "pgpfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fencry.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "symrg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Symantec Found! (" + drvbasename + ")"); + } + if ("SAFE-Agent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("SAFE-Cyberdefense Found! (" + drvbasename + ")"); + } + if ("CybKernelTracker.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("CyberArk Software Found! (" + drvbasename + ")"); + } + if ("klifks.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "klifaa.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "Klifsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Kaspersky Found! (" + drvbasename + ")"); + } + if ("SAVOnAccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "savonaccess.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "sld.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Sophos Found! (" + drvbasename + ")"); + } + if ("ssfmonm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Webroot Software, Inc. Found! (" + drvbasename + ")"); + } + if ("CarbonBlackK.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Carbon Black Found! (" + drvbasename + ")"); + } + if ("CRExecPrev.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cybereason Found! (" + drvbasename + ")"); + } + if ("im.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csagent.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("CrowdStrike Found! (" + drvbasename + ")"); + } + if ("cfrmd.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdccav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "cmdguard.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "CmdMnEfs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "MyDLPMF.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Comodo Security Solutions Found! (" + drvbasename + ")"); + } + if ("PSINPROC.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "PSINFILE.SYS".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amfsm.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm8660.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "amm6460.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Panda Security Found! (" + drvbasename + ")"); + } + if ("fsgk.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fsatp.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "fshs.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("F-Secure Found! (" + drvbasename + ")"); + } + if ("esensor.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Endgame Found! (" + drvbasename + ")"); + } + if ("csacentr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaenh.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csareg.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csascr.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaav.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase) || "csaam.sys".Equals(drvbasename, StringComparison.OrdinalIgnoreCase)) + { + Console.WriteLine("Cisco Found! (" + drvbasename + ")"); + } + } + } + + if (!edrfound) + { + Console.WriteLine("[+] No EDR driver Found!"); + } } - } + } while (running); return; } From 23b35a00991b0edb2468dbb5dbcf4de7866d2cfb Mon Sep 17 00:00:00 2001 From: Andriani Date: Wed, 27 Nov 2024 20:21:37 -0500 Subject: [PATCH 3/5] Create .gitignore --- .gitignore | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..019b30b --- /dev/null +++ b/.gitignore @@ -0,0 +1,40 @@ + +.vs/CheckDrivers/project-colors.json +.vs/CheckDrivers/v17/.suo +bin/Debug/CheckDrivers.exe +bin/Debug/CheckDrivers.exe.config +bin/Debug/CheckDrivers.pdb +bin/Debug/drivers.json +bin/Debug/System.Diagnostics.DiagnosticSource.dll +bin/x64/Debug/CheckDrivers.exe +bin/x64/Debug/CheckDrivers.exe.config +bin/x64/Debug/CheckDrivers.pdb +bin/x64/Debug/drivers.json +bin/x64/Debug/System.Diagnostics.DiagnosticSource.dll +obj/CheckDrivers.csproj.nuget.dgspec.json +obj/CheckDrivers.csproj.nuget.g.props +obj/CheckDrivers.csproj.nuget.g.targets +obj/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs +obj/Debug/CheckDrivers.csproj.AssemblyReference.cache +obj/Debug/CheckDrivers.csproj.CopyComplete +obj/Debug/CheckDrivers.csproj.CoreCompileInputs.cache +obj/Debug/CheckDrivers.csproj.FileListAbsolute.txt +obj/Debug/CheckDrivers.csproj.Fody.CopyLocal.cache +obj/Debug/CheckDrivers.csproj.Fody.RuntimeCopyLocal.cache +obj/Debug/CheckDrivers.csproj.SuggestedBindingRedirects.cache +obj/Debug/CheckDrivers.exe +obj/Debug/CheckDrivers.pdb +obj/Debug/Costura/1E76E6099570EDE620B76ED47CF8D03A936D49F8.costura.newtonsoft.json.dll.compressed.compressed +obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache +obj/project.assets.json +obj/project.nuget.cache +obj/x64/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs +obj/x64/Debug/CheckDrivers.csproj.CopyComplete +obj/x64/Debug/CheckDrivers.csproj.CoreCompileInputs.cache +obj/x64/Debug/CheckDrivers.csproj.FileListAbsolute.txt +obj/x64/Debug/CheckDrivers.csproj.Fody.CopyLocal.cache +obj/x64/Debug/CheckDrivers.csproj.Fody.RuntimeCopyLocal.cache +obj/x64/Debug/CheckDrivers.csproj.SuggestedBindingRedirects.cache +obj/x64/Debug/CheckDrivers.exe +obj/x64/Debug/CheckDrivers.pdb +obj/x64/Debug/Costura/1E76E6099570EDE620B76ED47CF8D03A936D49F8.costura.newtonsoft.json.dll.compressed.compressed From 709328c6761c9d4f2ef9f9151cd147159f5557b7 Mon Sep 17 00:00:00 2001 From: Andriani Date: Sat, 30 Nov 2024 03:06:05 -0500 Subject: [PATCH 4/5] Add Download Option Program download option was never implemented. It would only download if the user used compare. Whenever the user would use --dl as an arg it would not download. The user would need to use --compare --dl to be able to download the drivers.json file. --- Program.cs | 74 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 63 insertions(+), 11 deletions(-) diff --git a/Program.cs b/Program.cs index 9867a5f..9957c1a 100644 --- a/Program.cs +++ b/Program.cs @@ -73,6 +73,55 @@ static void Help() ""); return; } + + static void AttemptDownload() + { + + string uri = "https://www.loldrivers.io/api/drivers.json"; + string filePath = "drivers.json"; + + System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls + | System.Net.SecurityProtocolType.Tls11 + | System.Net.SecurityProtocolType.Tls12; + + using (System.Net.WebClient wc = new System.Net.WebClient()) + { + // Optional: Set headers + // wc.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; AcmeInc/1.0)"); + + // Subscribe to the DownloadFileCompleted event + wc.DownloadFileCompleted += (sender, e) => + { + if (e.Error != null) + { + Console.WriteLine($"[!] Download failed: {e.Error.Message}"); + } + else if (e.Cancelled) + { + Console.WriteLine("[!] Download canceled."); + } + else + { + Console.WriteLine("[+] drivers.json file downloaded successfully."); + Console.WriteLine("Press any key to exit."); + + } + }; + + try + { + // Start the asynchronous download + wc.DownloadFileAsync(new Uri(uri), filePath); + Console.WriteLine("Downloading... Press any key to cancel."); + Console.ReadKey(); // Prevents the application from exiting immediately + } + catch (Exception ex) + { + Console.WriteLine($"[!] An error occurred: {ex.Message}"); + } + } + + } static void Main(string[] args) { @@ -120,11 +169,10 @@ static void Main(string[] args) do { - if (activeGUI) { - ResetValues(); // Prevents from other functions being ran again after its been called the first time. + Console.WriteLine( "\n1. Help\n" + "2. Download drivers.json from loldrivers.io\n" + @@ -223,23 +271,22 @@ static void Main(string[] args) Console.WriteLine(drv + " (" + certname + ")"); } + + } + if (download) + { + AttemptDownload(); } if (compare) { Console.WriteLine("[-] Check for vuln drivers from loldrivers.io.."); - if (download) + + if (!File.Exists("./drivers.json")) { - using (System.Net.WebClient wc = new System.Net.WebClient()) - { - string Uri = "https://www.loldrivers.io/api/drivers.json"; - System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Ssl3; - wc.DownloadFile(Uri, "drivers.json"); - Console.WriteLine("[+] drivers.json file downloaded"); - } + AttemptDownload(); } - List drvobj = null; try { @@ -455,6 +502,11 @@ static void Main(string[] args) Console.WriteLine("[+] No EDR driver Found!"); } } + ResetValues(); + if(args.Length > 0) + { + running = false; + } } while (running); return; From 77f476880aee450e1bba04f48d8b47fd01dd5020 Mon Sep 17 00:00:00 2001 From: Andriani Date: Sat, 30 Nov 2024 03:12:56 -0500 Subject: [PATCH 5/5] remove comment. --- Program.cs | 2 -- 1 file changed, 2 deletions(-) diff --git a/Program.cs b/Program.cs index 9957c1a..43d87e1 100644 --- a/Program.cs +++ b/Program.cs @@ -86,8 +86,6 @@ static void AttemptDownload() using (System.Net.WebClient wc = new System.Net.WebClient()) { - // Optional: Set headers - // wc.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; AcmeInc/1.0)"); // Subscribe to the DownloadFileCompleted event wc.DownloadFileCompleted += (sender, e) =>