Skip to content

Instantly share code, notes, and snippets.

@IISResetMe
Forked from MHaggis/Scan-LOLDrivers.ps1
Created May 19, 2023 17:08
Show Gist options
  • Save IISResetMe/1a8353ae57710868b31b0e8d41683b95 to your computer and use it in GitHub Desktop.
Save IISResetMe/1a8353ae57710868b31b0e8d41683b95 to your computer and use it in GitHub Desktop.
it works - but use with caution :) it's a bit noisy and I think it's broken
function Scan-LOLDrivers {
param(
[Parameter(Mandatory = $true)]
[string]$path
)
Add-Type -TypeDefinition @"
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.IO;
using System.Text;
public class FileHashScanner {
public static string ComputeSha256(string path) {
try {
using (FileStream stream = File.OpenRead(path)) {
SHA256Managed sha = new SHA256Managed();
byte[] checksum = sha.ComputeHash(stream);
return BitConverter.ToString(checksum).Replace("-", String.Empty);
}
} catch (Exception) {
return null;
}
}
public static string GetAuthenticodeHash(string path) {
try {
X509Certificate2 cert = new X509Certificate2(path);
return BitConverter.ToString(cert.GetCertHash()).Replace("-", String.Empty);
} catch (Exception) {
return null;
}
}
}
"@
Write-Host "Downloading drivers.json..."
$driversJsonUrl = "https://www.loldrivers.io/api/drivers.json"
$driversJsonContent = Invoke-WebRequest -Uri $driversJsonUrl
$driverData = $driversJsonContent.Content | ConvertFrom-Json
Write-Host "Download complete."
Write-Host "Building correlation tables"
$fileHashes = @{}
$authenticodeHashes = @{}
foreach ($driverInfo in $driverData) {
foreach ($sample in $driverInfo.KnownVulnerableSamples) {
'MD5 SHA1 SHA256'.Split() | ForEach-Object {
$fileHashValue = $sample.$_
if ($fileHashValue) {
$fileHashes[$fileHashValue] = $driverInfo
}
$authCodeHashValue = $sample.Authentihash.$_
if ($authCodeHashValue) {
$authenticodeHashes[$authCodeHashValue] = $driverInfo
}
}
}
}
Write-Host "Done building correlation tables"
function Scan-Directory {
param([string]$directory)
Get-ChildItem -Path $directory -Recurse -File | ForEach-Object {
$filePath = $_.FullName
Write-Verbose "Computing hash for $filePath..."
$fileHash = [FileHashScanner]::ComputeSha256($filePath)
$fileAuthenticodeHash = [FileHashScanner]::GetAuthenticodeHash($filePath)
if ($fileHashes.ContainsKey($fileHash)) {
Write-Host "SHA256 hash match found: $filePath with hash $fileHash (matching $($fileHashes[$fileHash]))"
}
if ($fileAuthenticodeHash -and $authenticodeHashes.ContainsKey($fileAuthenticodeHash)) {
Write-Host "Authenticode hash match found: $filePath with hash $fileAuthenticodeHash (matches $($authenticodeHashes[$fileAuthenticodeHash]))"
}
}
}
Write-Host "Starting scan..."
Scan-Directory -directory $path
Write-Host "Scan complete."
}
@IISResetMe
Copy link
Author

@HotCakeX The constructor for X509Certificate2 tries to identify the file type, and if it's a signed file it'll attempt to locate the signing certificate

@HotCakeX
Copy link

HotCakeX commented Aug 5, 2024

@HotCakeX The constructor for X509Certificate2 tries to identify the file type, and if it's a signed file it'll attempt to locate the signing certificate

So which part of the code is calculating the Authenticode hash?

@IISResetMe
Copy link
Author

IISResetMe commented Aug 6, 2024

@HotCakeX None, as far as I'm aware - GetAuthenticodeHash would have been more aptly named GetAuthenticodeSignerHash, but you'll have to ask @MHaggis about the original naming choice :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment