ConanChiles/lolDrivers_FindMatches.ps1

## lolDrivers_FindMatches.ps1
#Requires -Version 5.1
Set-StrictMode -Version 'latest'
$ErrorActionPreference = 'stop'

$DirPathDrivers = @(
    'C:\WINDOWS\inf'
    'C:\WINDOWS\System32\drivers'
    'C:\WINDOWS\System32\DriverStore\FileRepository'
)


if ( !(Test-Path -Path 'Variable:lolDriversJson' -PathType Leaf) ) {
    [datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan
    'downloading lolJdriver JSON' | Write-Host -ForegroundColor Cyan
    $lolDriversJson = Invoke-RestMethod -Method Get -Uri 'https://www.loldrivers.io/api/drivers.json'
}

# contains duplicates
# $lolDriversJson.KnownVulnerableSamples | Group-Object -Property 'SHA256' | Where-Object -Property 'Count' -NE 1
# $lolDriversJson.KnownVulnerableSamples | Group-Object -Property 'SHA1' | Where-Object -Property 'Count' -NE 1
# $lolDriversJson.KnownVulnerableSamples | Group-Object -Property 'MD5' | Where-Object -Property 'Count' -NE 1

<# missing hashes
$lolDriversJson.KnownVulnerableSamples | Where-Object -FilterScript {
    !($PSItem | Get-Member).Name.Contains('SHA256') -or
    !($PSItem | Get-Member).Name.Contains('SHA1') -or
    !($PSItem | Get-Member).Name.Contains('MD5')
}
#>

$execTimeStart = [datetime]::Now

[datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan
'building hashtable of driver files and their hashes' | Write-Host -ForegroundColor Cyan
$htDriverHashPath = [hashtable]::new([System.StringComparer]::OrdinalIgnoreCase)

foreach ( $dirverDir in $DirPathDrivers ) {
    foreach ( $driverFile in (Get-ChildItem -File -LiteralPath $dirverDir) ) {
        foreach ( $hashType in ('SHA256', 'SHA1', 'MD5') ) {
            foreach ( $driverFileHash in ($driverFile | Get-FileHash -Algorithm $hashType) ) {
                if ( !$htDriverHashPath.ContainsKey($driverFileHash.Hash) ) {
                    $htDriverHashPath.Add(
                        $driverFileHash.Hash, @{
                            'HashType' = $hashType
                            'path'     = $driverFileHash.Path
                        }
                    )
                }
            }
        }
    }
}


<# test to produce a match
[datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan
'adding a test case to the installed driver list' | Write-Host -ForegroundColor Cyan

$testDummyDriverFile = ($lolDriversJson | Get-Random -Count 1).KnownVulnerableSamples | Get-Random -Count 1

if ( ($testDummyDriverFile | Get-Member).Name.Contains('SHA256') ) {
    $propNameHashType = 'SHA256'
} elseif (($testDummyDriverFile | Get-Member).Name.Contains('SHA1')) {
    $propNameHashType = 'SHA1'
} elseif ( ($testDummyDriverFile | Get-Member).Name.Contains('MD5') ) {
    $propNameHashType = 'MD5'
} else {
    Write-Error -Message ("fix me" + [System.Environment]::NewLine + $testDummyDriverFile | Out-String)
}

$htDriverHashPath.Add(
    $testDummyDriverFile.$propNameHashType, @{
        'HashType' = $propNameHashType
        'path'     = '#test#'
    }
)
#>

[datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan
'looking for lolDriver hash matches' | Write-Host -ForegroundColor Cyan
$htSearchResults = [hashtable]::new([System.StringComparer]::OrdinalIgnoreCase)

foreach ( $lolDriver in $lolDriversJson ) {
    foreach ( $KnownVulnerableSample in $lolDriver.KnownVulnerableSamples ) {

        if ( ($KnownVulnerableSample | Get-Member).Name.Contains('SHA256') ) {
            $propNameHashType = 'SHA256'
        } elseif (($KnownVulnerableSample | Get-Member).Name.Contains('SHA1')) {
            $propNameHashType = 'SHA1'
        } elseif ( ($KnownVulnerableSample | Get-Member).Name.Contains('MD5') ) {
            $propNameHashType = 'MD5'
        } else {
            Write-Error -Message ("fix me" + [System.Environment]::NewLine + $KnownVulnerableSample | Out-String)
        }

        if ( $htDriverHashPath.ContainsKey($KnownVulnerableSample.$propNameHashType) ) {
            if (!$htSearchResults.ContainsKey($KnownVulnerableSample.$propNameHashType)) {
                $htSearchResults.Add(
                    $KnownVulnerableSample.$propNameHashType, @{
                        'driverPath' = $htDriverHashPath.($KnownVulnerableSample.$propNameHashType)
                        'lolDriver'  = $lolDriver
                    }
                )
            }
        }
    }
}

Write-Host
Write-Host

'time (seconds) to run, excluding download of lolDriver JSON' | Write-Host
(New-TimeSpan -Start $execTimeStart -End ([datetime]::Now)).TotalSeconds | Write-Host

Write-Host
Write-Host

[datetime]::Now.ToString('o') | Write-Host -ForegroundColor Cyan
if ( $htSearchResults.Count -eq 0 ) {
    'no lolDrivers found' | Write-Host -ForegroundColor Green
} else {
    'lolDrivers found!' | Write-Host -ForegroundColor Red
    $htSearchResults | ConvertTo-Json | Write-Host
}
	#Requires -Version 5.1
	Set-StrictMode -Version 'latest'
	$ErrorActionPreference = 'stop'

	$DirPathDrivers = @(
	'C:\WINDOWS\inf'
	'C:\WINDOWS\System32\drivers'
	'C:\WINDOWS\System32\DriverStore\FileRepository'
	)


	if ( !(Test-Path -Path 'Variable:lolDriversJson' -PathType Leaf) ) {
	[datetime]::Now.ToString('o') \| Write-Host -ForegroundColor Cyan
	'downloading lolJdriver JSON' \| Write-Host -ForegroundColor Cyan
	$lolDriversJson = Invoke-RestMethod -Method Get -Uri 'https://www.loldrivers.io/api/drivers.json'
	}

	# contains duplicates
	# $lolDriversJson.KnownVulnerableSamples \| Group-Object -Property 'SHA256' \| Where-Object -Property 'Count' -NE 1
	# $lolDriversJson.KnownVulnerableSamples \| Group-Object -Property 'SHA1' \| Where-Object -Property 'Count' -NE 1
	# $lolDriversJson.KnownVulnerableSamples \| Group-Object -Property 'MD5' \| Where-Object -Property 'Count' -NE 1

	<# missing hashes
	$lolDriversJson.KnownVulnerableSamples \| Where-Object -FilterScript {
	!($PSItem \| Get-Member).Name.Contains('SHA256') -or
	!($PSItem \| Get-Member).Name.Contains('SHA1') -or
	!($PSItem \| Get-Member).Name.Contains('MD5')
	}
	#>

	$execTimeStart = [datetime]::Now

	[datetime]::Now.ToString('o') \| Write-Host -ForegroundColor Cyan
	'building hashtable of driver files and their hashes' \| Write-Host -ForegroundColor Cyan
	$htDriverHashPath = [hashtable]::new([System.StringComparer]::OrdinalIgnoreCase)

	foreach ( $dirverDir in $DirPathDrivers ) {
	foreach ( $driverFile in (Get-ChildItem -File -LiteralPath $dirverDir) ) {
	foreach ( $hashType in ('SHA256', 'SHA1', 'MD5') ) {
	foreach ( $driverFileHash in ($driverFile \| Get-FileHash -Algorithm $hashType) ) {
	if ( !$htDriverHashPath.ContainsKey($driverFileHash.Hash) ) {
	$htDriverHashPath.Add(
	$driverFileHash.Hash, @{
	'HashType' = $hashType
	'path' = $driverFileHash.Path
	}
	)
	}
	}
	}
	}
	}


	<# test to produce a match
	[datetime]::Now.ToString('o') \| Write-Host -ForegroundColor Cyan
	'adding a test case to the installed driver list' \| Write-Host -ForegroundColor Cyan

	$testDummyDriverFile = ($lolDriversJson \| Get-Random -Count 1).KnownVulnerableSamples \| Get-Random -Count 1

	if ( ($testDummyDriverFile \| Get-Member).Name.Contains('SHA256') ) {
	$propNameHashType = 'SHA256'
	} elseif (($testDummyDriverFile \| Get-Member).Name.Contains('SHA1')) {
	$propNameHashType = 'SHA1'
	} elseif ( ($testDummyDriverFile \| Get-Member).Name.Contains('MD5') ) {
	$propNameHashType = 'MD5'
	} else {
	Write-Error -Message ("fix me" + [System.Environment]::NewLine + $testDummyDriverFile \| Out-String)
	}

	$htDriverHashPath.Add(
	$testDummyDriverFile.$propNameHashType, @{
	'HashType' = $propNameHashType
	'path' = '#test#'
	}
	)
	#>

	[datetime]::Now.ToString('o') \| Write-Host -ForegroundColor Cyan
	'looking for lolDriver hash matches' \| Write-Host -ForegroundColor Cyan
	$htSearchResults = [hashtable]::new([System.StringComparer]::OrdinalIgnoreCase)

	foreach ( $lolDriver in $lolDriversJson ) {
	foreach ( $KnownVulnerableSample in $lolDriver.KnownVulnerableSamples ) {

	if ( ($KnownVulnerableSample \| Get-Member).Name.Contains('SHA256') ) {
	$propNameHashType = 'SHA256'
	} elseif (($KnownVulnerableSample \| Get-Member).Name.Contains('SHA1')) {
	$propNameHashType = 'SHA1'
	} elseif ( ($KnownVulnerableSample \| Get-Member).Name.Contains('MD5') ) {
	$propNameHashType = 'MD5'
	} else {
	Write-Error -Message ("fix me" + [System.Environment]::NewLine + $KnownVulnerableSample \| Out-String)
	}

	if ( $htDriverHashPath.ContainsKey($KnownVulnerableSample.$propNameHashType) ) {
	if (!$htSearchResults.ContainsKey($KnownVulnerableSample.$propNameHashType)) {
	$htSearchResults.Add(
	$KnownVulnerableSample.$propNameHashType, @{
	'driverPath' = $htDriverHashPath.($KnownVulnerableSample.$propNameHashType)
	'lolDriver' = $lolDriver
	}
	)
	}
	}
	}
	}

	Write-Host
	Write-Host

	'time (seconds) to run, excluding download of lolDriver JSON' \| Write-Host
	(New-TimeSpan -Start $execTimeStart -End ([datetime]::Now)).TotalSeconds \| Write-Host

	Write-Host
	Write-Host

	[datetime]::Now.ToString('o') \| Write-Host -ForegroundColor Cyan
	if ( $htSearchResults.Count -eq 0 ) {
	'no lolDrivers found' \| Write-Host -ForegroundColor Green
	} else {
	'lolDrivers found!' \| Write-Host -ForegroundColor Red
	$htSearchResults \| ConvertTo-Json \| Write-Host
	}