-
Notifications
You must be signed in to change notification settings - Fork 166
HolyGrail BYOVD Scanner
HolyGrail analyzes Windows drivers to identify legitimate signed drivers that can be exploited for BYOVD (Bring Your Own Vulnerable Driver) attacks.
The scanner evaluates drivers to help identify vulnerable drivers that can bypass current security controls:
- LOLDrivers Detection - Checks drivers against the known vulnerable drivers database
- Policy Compliance - Tests against Microsoft Windows 10/11 driver blocking policies
- Import Analysis - Identifies dangerous function imports for privileged operations
- Certificate Validation - Analyzes driver signatures and certificate chains
analyze_single_driver() performs comprehensive driver evaluation:
- File Processing - Loads driver and parses PE structure
- Hash Calculation - Computes SHA256 hash for database lookups
- Import Extraction - Scans for dangerous Windows API imports
- Policy Checking - Tests against Microsoft blocking rules
- Report Generation - Creates detailed analysis results
LolDriversChecker validates against known vulnerable drivers:
- Loads
lol_drivers.jsoncontaining driver hashes from LOLDrivers project - Matches driver SHA256 against known vulnerable driver entries
- Identifies drivers with documented security issues
msft_block_policy() checks compliance with Windows security policies:
- Hash-Based Rules - Compares file and image hashes against blocked lists
- Version Rules - Validates filename and version combinations
- Certificate Rules - Analyzes signing certificates and certificate chains
- Unsigned Detection - Flags unsigned drivers as blocked
DriverInfo::new() extracts driver characteristics:
- Architecture Detection - Identifies x32/x64 from PE headers
- Import Scanning - Extracts function imports from import table
- Fallback Analysis - Scans for function names when PE parsing fails
- Metadata Extraction - Gets file version and original filename
The scanner identifies high-risk function imports in categories:
- Physical Memory Access - Functions for direct memory manipulation
- Process Manipulation - APIs for process access and control
- Section Mapping - Virtual memory mapping capabilities
- Communication - Device and filter communication interfaces
parse_pe_certificates() validates driver signatures:
- Extracts certificate data from PE security directory
- Parses PKCS#7 certificate structures
- Computes certificate thumbprints and TBS hashes
- Validates against policy certificate rules
The scanner produces analysis reports containing:
- Basic Information - Driver name, path, size, architecture, version
- Security Status - LOLDriver status, policy compliance, dangerous capabilities
- Import Analysis - Critical function imports detected
- Certificate Details - Signature validation and certificate information
- Blocking Details - Specific policy rules that would block the driver
Analysis Output: Utils\DoppelgangerDB\HolyGrail\Analysis\
Policy Files: Located in configured policies directory containing Windows blocking rules and LOLDrivers database
- π Home
- π§ Application Architecture
- π Dashboard
- π All in One Pipeline
- π― Detection Score Explained
- 𧬠Blender Scanner
- π FuzzyHash Scanner
- π‘οΈ HolyGrail BYOVD Scanner
- π YARA Rules Management