Skip to content

HolyGrail BYOVD Scanner

BlackSnufkin edited this page Sep 6, 2025 · 2 revisions

HolyGrail Scanner

HolyGrail analyzes Windows drivers to identify legitimate signed drivers that can be exploited for BYOVD (Bring Your Own Vulnerable Driver) attacks.

What It Does

The scanner evaluates drivers to help identify vulnerable drivers that can bypass current security controls:

  • LOLDrivers Detection - Checks drivers against the known vulnerable drivers database
  • Policy Compliance - Tests against Microsoft Windows 10/11 driver blocking policies
  • Import Analysis - Identifies dangerous function imports for privileged operations
  • Certificate Validation - Analyzes driver signatures and certificate chains

How It Works

Driver Analysis Process

analyze_single_driver() performs comprehensive driver evaluation:

  1. File Processing - Loads driver and parses PE structure
  2. Hash Calculation - Computes SHA256 hash for database lookups
  3. Import Extraction - Scans for dangerous Windows API imports
  4. Policy Checking - Tests against Microsoft blocking rules
  5. Report Generation - Creates detailed analysis results

LOLDrivers Database Integration

LolDriversChecker validates against known vulnerable drivers:

  • Loads lol_drivers.json containing driver hashes from LOLDrivers project
  • Matches driver SHA256 against known vulnerable driver entries
  • Identifies drivers with documented security issues

Microsoft Policy Validation

msft_block_policy() checks compliance with Windows security policies:

  • Hash-Based Rules - Compares file and image hashes against blocked lists
  • Version Rules - Validates filename and version combinations
  • Certificate Rules - Analyzes signing certificates and certificate chains
  • Unsigned Detection - Flags unsigned drivers as blocked

Technical Implementation

PE Analysis

DriverInfo::new() extracts driver characteristics:

  • Architecture Detection - Identifies x32/x64 from PE headers
  • Import Scanning - Extracts function imports from import table
  • Fallback Analysis - Scans for function names when PE parsing fails
  • Metadata Extraction - Gets file version and original filename

Dangerous Import Categories

The scanner identifies high-risk function imports in categories:

  • Physical Memory Access - Functions for direct memory manipulation
  • Process Manipulation - APIs for process access and control
  • Section Mapping - Virtual memory mapping capabilities
  • Communication - Device and filter communication interfaces

Certificate Analysis

parse_pe_certificates() validates driver signatures:

  • Extracts certificate data from PE security directory
  • Parses PKCS#7 certificate structures
  • Computes certificate thumbprints and TBS hashes
  • Validates against policy certificate rules

Analysis Results

The scanner produces analysis reports containing:

  • Basic Information - Driver name, path, size, architecture, version
  • Security Status - LOLDriver status, policy compliance, dangerous capabilities
  • Import Analysis - Critical function imports detected
  • Certificate Details - Signature validation and certificate information
  • Blocking Details - Specific policy rules that would block the driver

Database Storage

Analysis Output: Utils\DoppelgangerDB\HolyGrail\Analysis\

Policy Files: Located in configured policies directory containing Windows blocking rules and LOLDrivers database

πŸ“Œ LitterBox Β· self-hosted payload analysis sandbox

Release


πŸš€ Getting Started

πŸ“Š Pipelines & Pages

πŸ”¬ Scanners Β· 4 modules

πŸ›°οΈ EDR Integration
πŸ”Œ API & Clients
βš™οΈ Configuration & Dev

Releases Β· CHANGELOG Β· Issues Β· README

Clone this wiki locally