A Windows kernel driver vulnerability scanner designed for educational and research purposes. This tool scans multiple system tables and modules to identify traces of known vulnerable kernel drivers which
allows you to map unsigned driver to kernel memory. This tool operates at kernel level and can cause
system crash if used incorrectly, please update offsets.h before using it. This project was made a
long time ago but still should work correctly.
Written ~2 years ago
| Module | Table |
|---|---|
| ci.dll | g_kernelHashBucketList |
| ci.dll | g_CiEaCacheLookasideList |
| ntoskrnl.exe | MiPinDriverAddressLog |
| ntoskrnl.exe | PiDDBCacheTable |
| ntoskrnl.exe | MmUnloadedDrivers |
| WdFilter.sys | RuntimeDrivers |
For automated driver analysis, use the included timestamp dumper script to extract timestamps and names from a list of drivers.
Some drivers may not have names in their DEBUG properties so it could be blank - you need to modify that. Basically
place your drivers in the /drivers directory and run the script.
struct blacklisted_drivers {
const wchar_t* name;
uint32_t timestamp;
};
const static struct blacklisted_drivers drivers[1] = {
{ L"vulnerable_driver.sys", 0xFFFFFFFF },
};