-
-
Save Sarkie/c5bde2ff762e9e958053b3c8d324e291 to your computer and use it in GitHub Desktop.
added a few more error catches and logging etc + added drivers.json on disk support
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Scan-LOLDrivers { | |
param( | |
[Parameter(Mandatory = $true)] | |
[string]$path | |
) | |
Add-Type -TypeDefinition @" | |
using System; | |
using System.Security.Cryptography; | |
using System.Security.Cryptography.X509Certificates; | |
using System.IO; | |
using System.Text; | |
public class FileHashScanner { | |
public static string ComputeSha256(string path) { | |
try { | |
using (FileStream stream = File.OpenRead(path)) { | |
SHA256Managed sha = new SHA256Managed(); | |
byte[] checksum = sha.ComputeHash(stream); | |
return BitConverter.ToString(checksum).Replace("-", String.Empty); | |
} | |
} catch (Exception ex) { | |
Console.WriteLine("ComputeSha256 Error: " + " " + ex.Message); | |
return null; | |
} | |
} | |
public static string GetAuthenticodeHash(string path) { | |
try { | |
X509Certificate2 cert = new X509Certificate2(path); | |
return BitConverter.ToString(cert.GetCertHash()).Replace("-", String.Empty); | |
} catch (Exception) { | |
//Console.WriteLine("GetAuthenticodeHash Error: " + path + " " + ex.Message); | |
return null; | |
} | |
} | |
} | |
"@ | |
Write-Host "Checking for drivers.json on disk" | |
if(Test-Path "./drivers.json"){ | |
Write-Host "drivers.json found on disk" | |
$driverData = Get-Content -Path "./drivers.json" | |
Write-Host "drivers.json loaded" | |
} | |
else { | |
Write-Host "Downloading drivers.json..." | |
$driversJsonUrl = "https://www.loldrivers.io/api/drivers.json" | |
$driversJsonContent = Invoke-WebRequest -Uri $driversJsonUrl | |
$driverData = $driversJsonContent.Content | ConvertFrom-Json | |
Write-Host "Download complete." | |
} | |
Write-Host "Building correlation tables" | |
$fileHashes = @{} | |
$authenticodeHashes = @{} | |
foreach ($driverInfo in $driverData) { | |
foreach ($sample in $driverInfo.KnownVulnerableSamples) { | |
'MD5 SHA1 SHA256'.Split() | ForEach-Object { | |
$fileHashValue = $sample.$_ | |
if ($fileHashValue) { | |
$fileHashes[$fileHashValue] = $driverInfo | |
} | |
$authCodeHashValue = $sample.Authentihash.$_ | |
if ($authCodeHashValue) { | |
$authenticodeHashes[$authCodeHashValue] = $driverInfo | |
} | |
} | |
} | |
} | |
Write-Host "Done building correlation tables" | |
function Scan-Directory { | |
param([string]$directory) | |
Write-Host "Scanning $directory" | |
Get-ChildItem -Path $directory -Recurse -File | ForEach-Object { | |
$filePath = $_.FullName | |
Write-Verbose "Computing hash for $filePath..." | |
$fileHash = [FileHashScanner]::ComputeSha256($filePath) | |
if($fileHash -eq $null){ | |
Write-Host "Cannot compute hash for $filePath, skipping..." | |
return; | |
} | |
$fileAuthenticodeHash = [FileHashScanner]::GetAuthenticodeHash($filePath) | |
if ($fileHashes.ContainsKey($fileHash)) { | |
Write-Host "SHA256 hash match found: $filePath with hash $fileHash (matching $($fileHashes[$fileHash]))" | |
} | |
if ($fileAuthenticodeHash -and $authenticodeHashes.ContainsKey($fileAuthenticodeHash)) { | |
Write-Host "Authenticode hash match found: $filePath with hash $fileAuthenticodeHash (matches $($authenticodeHashes[$fileAuthenticodeHash]))" | |
} | |
} | |
} | |
Write-Host "Starting scan..." | |
Scan-Directory -directory $path | |
Write-Host "Scan complete." | |
} | |
# Run command in order to allow script | |
#Set-ExecutionPolicy Unrestricted -Scope Process -Force | |
# Uncomment to see more Verbose Logging | |
#$VerbosePreference = "Continue" | |
# Example Directories to scan | |
Scan-LOLDrivers "$env:windir\inf" | |
Scan-LOLDrivers "$env:windir\System32\drivers" | |
Scan-LOLDrivers "$env:windir\System32\DriverStore\FileRepository" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment