-
-
Save IISResetMe/1a8353ae57710868b31b0e8d41683b95 to your computer and use it in GitHub Desktop.
it works - but use with caution :) it's a bit noisy and I think it's broken
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Scan-LOLDrivers { | |
| param( | |
| [Parameter(Mandatory = $true)] | |
| [string]$path | |
| ) | |
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Security.Cryptography; | |
| using System.Security.Cryptography.X509Certificates; | |
| using System.IO; | |
| using System.Text; | |
| public class FileHashScanner { | |
| public static string ComputeSha256(string path) { | |
| try { | |
| using (FileStream stream = File.OpenRead(path)) { | |
| SHA256Managed sha = new SHA256Managed(); | |
| byte[] checksum = sha.ComputeHash(stream); | |
| return BitConverter.ToString(checksum).Replace("-", String.Empty); | |
| } | |
| } catch (Exception) { | |
| return null; | |
| } | |
| } | |
| public static string GetAuthenticodeHash(string path) { | |
| try { | |
| X509Certificate2 cert = new X509Certificate2(path); | |
| return BitConverter.ToString(cert.GetCertHash()).Replace("-", String.Empty); | |
| } catch (Exception) { | |
| return null; | |
| } | |
| } | |
| } | |
| "@ | |
| Write-Host "Downloading drivers.json..." | |
| $driversJsonUrl = "https://www.loldrivers.io/api/drivers.json" | |
| $driversJsonContent = Invoke-WebRequest -Uri $driversJsonUrl | |
| $driverData = $driversJsonContent.Content | ConvertFrom-Json | |
| Write-Host "Download complete." | |
| Write-Host "Building correlation tables" | |
| $fileHashes = @{} | |
| $authenticodeHashes = @{} | |
| foreach ($driverInfo in $driverData) { | |
| foreach ($sample in $driverInfo.KnownVulnerableSamples) { | |
| 'MD5 SHA1 SHA256'.Split() | ForEach-Object { | |
| $fileHashValue = $sample.$_ | |
| if ($fileHashValue) { | |
| $fileHashes[$fileHashValue] = $driverInfo | |
| } | |
| $authCodeHashValue = $sample.Authentihash.$_ | |
| if ($authCodeHashValue) { | |
| $authenticodeHashes[$authCodeHashValue] = $driverInfo | |
| } | |
| } | |
| } | |
| } | |
| Write-Host "Done building correlation tables" | |
| function Scan-Directory { | |
| param([string]$directory) | |
| Get-ChildItem -Path $directory -Recurse -File | ForEach-Object { | |
| $filePath = $_.FullName | |
| Write-Verbose "Computing hash for $filePath..." | |
| $fileHash = [FileHashScanner]::ComputeSha256($filePath) | |
| $fileAuthenticodeHash = [FileHashScanner]::GetAuthenticodeHash($filePath) | |
| if ($fileHashes.ContainsKey($fileHash)) { | |
| Write-Host "SHA256 hash match found: $filePath with hash $fileHash (matching $($fileHashes[$fileHash]))" | |
| } | |
| if ($fileAuthenticodeHash -and $authenticodeHashes.ContainsKey($fileAuthenticodeHash)) { | |
| Write-Host "Authenticode hash match found: $filePath with hash $fileAuthenticodeHash (matches $($authenticodeHashes[$fileAuthenticodeHash]))" | |
| } | |
| } | |
| } | |
| Write-Host "Starting scan..." | |
| Scan-Directory -directory $path | |
| Write-Host "Scan complete." | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I see the code mentions "Authenticode" hash but all I'm seeing is flat file hashes. Getting the Authenticode hash of a file has an entirely different process using
Wintrust.dll. Code integrity in Windows also uses first page hash of the PEs. All of these CI hashes can be calculated using the following commandGet-CiFileHashes, More info: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Get-CiFileHashes